Re: Disallowed Key Characters in global data
Posted: Thu Jul 31, 2014 11:41 pm
I check my database and is ok, nothing strange.
I check the php files in formalms, and found where is the verificacion input.
/lib/lib.filterinput.php
And this function...
/**
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @param string string to clean
* @return string
*/
protected function clean_input_keys($str) {
if ( ! preg_match('#^[&a-zA-Z0-9\.:_/-\s]+$#uD', $str)) {
exit('Disallowed key characters in global data.');
}
return $str;
}
I comment the line say Disallowed key chararacters and now I can enter my site. (line 230)
I know this is an important security function to prevent strange keys, I also found that other applications like gallery3, bulletin boards have the same problem since 2009. What is going on then?
Nobody knows why is happening, only to comment that line. Even is I pass the variable str like:
exit('Disallowed key characters in global data.',$str);
to see what is the character disturbing, only show me a blank page. When reloading, even the login page of FormaLMS is blank. I have to delete the session cookie to see the login page.
Maybe some php.ini is the problem? I saw that are some of this variables used in the application like:
ini_set('arg_separator.output', '&');
ini_set('magic_quotes_runtime', 0);
ini_set('magic_quotes_sybase', 0);
ini_set('session.cache_expire', (int)$cfg['session_lenght']);
ini_set('session.cache_limiter', 'none');
ini_set('session.cookie_lifetime', (int)$cfg['session_lenght']);
// ini_set('session.save_handler', 'files');
ini_set('session.use_only_cookies', 1);
ini_set('session.use_trans_sid', 0);
ini_set('url_rewriter.tags', '');
I'll upload a phpinfo file to test....
I check the php files in formalms, and found where is the verificacion input.
/lib/lib.filterinput.php
And this function...
/**
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @param string string to clean
* @return string
*/
protected function clean_input_keys($str) {
if ( ! preg_match('#^[&a-zA-Z0-9\.:_/-\s]+$#uD', $str)) {
exit('Disallowed key characters in global data.');
}
return $str;
}
I comment the line say Disallowed key chararacters and now I can enter my site. (line 230)
I know this is an important security function to prevent strange keys, I also found that other applications like gallery3, bulletin boards have the same problem since 2009. What is going on then?
Nobody knows why is happening, only to comment that line. Even is I pass the variable str like:
exit('Disallowed key characters in global data.',$str);
to see what is the character disturbing, only show me a blank page. When reloading, even the login page of FormaLMS is blank. I have to delete the session cookie to see the login page.
Maybe some php.ini is the problem? I saw that are some of this variables used in the application like:
ini_set('arg_separator.output', '&');
ini_set('magic_quotes_runtime', 0);
ini_set('magic_quotes_sybase', 0);
ini_set('session.cache_expire', (int)$cfg['session_lenght']);
ini_set('session.cache_limiter', 'none');
ini_set('session.cookie_lifetime', (int)$cfg['session_lenght']);
// ini_set('session.save_handler', 'files');
ini_set('session.use_only_cookies', 1);
ini_set('session.use_trans_sid', 0);
ini_set('url_rewriter.tags', '');
I'll upload a phpinfo file to test....
)