Closed (fixed)
Project:
Amazon Store
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
17 Jul 2009 at 08:36 UTC
Updated:
31 Jul 2009 at 23:00 UTC
Log message:
Invalid argument supplied for foreach() in .../sites/all/modules/amazon_store/amazon_store.module on line 1073.
Location:
http://example.com.com/amazon_store/item/sites/all/modules/amazon_store/...
Referrer: http://www.aspiringarchitects.com/amazon_store/item/B002BDVUGM
Comments
Comment #1
iva2k commentedThis seems to go away once I applied patch #3 from #492460: Bad image path for shopping_cart.png, however I believe code in question still needs to be refined to avoid potential security risks.
Comment #2
rfayIf you have a security concern, please be specific.
If you know how to demonstrate this error so it can be debugged, please say how.
Comment #3
iva2k commentedI said "potential security risks"... note I did not raise it to critical, and if I found security issues, I would post to drupal security.
The point was that outside HTTP request with .../amazon_store/item/... URL triggers log message from PHP error. To demonstrate it, just give it the URL from the bug report: http: //example.com/amazon_store/item/sites/all/modules/amazon_store/images/1stars.gif. The errors were actually happening in drones just by browsing the store before I rolled the patch in #492460, since these requests were generated by the pages.
I felt it might be a potential door. I was taught to never trust outside data, and throwing errors on outside data smells like a security threat.
Upon closer inspection I confirmed that input to _amazon_store_iterate_offers() can be spoofed by an outside attacker using URL /amazon_store/items/... and DNS injection (there is an http request to amazon going out as a result, which can be intercepted and replaced). However, in 10 minutes I had I can't come up with an attack on the code in _amazon_store_iterate_offers() - it does not seem to have glaring security issues, but it does not prove there isn't.
As a precaution and to remove log pollution, I would change:
to
Comment #4
rfayThanks, I did take your advice on this.
Per #510980: Show friendly error message if user lands on amazon_store/item/XXX and it is no longer available from Amazon.com I'm going to try to improve behavior in general in this type of circumstance.