Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Security concerns with input in Codeigniter and SOAP webservice
Security concerns with input in Codeigniter and SOAP webservice
  • El Forum
    Guest
  •  
#1
04-26-2013, 06:23 AM

[eluser]nielsiano[/eluser]
We are using a Microsoft Dynamics NAV SOAP webservice to fetch some product information for a webshop, to fetch it we'll send along parameters such as Brand, Type and Modelnumber

These parameters vary alot in characters, the strings could look like these three:

Modelnumbers:
DSM 9510 XA+
3709 / VITALITY
002.228.31 HÖGVÅRDIG

User has to choose Brand, Type and Modelnumber from dynamically generated selects. In jQuery we then grab the values, string replace the characters which are not permitted in Codeigniter URIs, and then urlencode it before sending it along. Like this:

Code:
var model           = $("select#model").val();
model                = model.replace(/\//g, '_');
model                = encodeURIComponent(model);

var url              = fab + '/' + type + '/'  + model + '/'  + produktnummer;
[removed].href = "categories/" + url;

(window location href used..)

Then in the categories controller in Codeigniter we string replace the forbidden chararacters back to the original. Then do rawurldecode($model) on each parameter.

We now have the needed strings to send to the SOAP Webservice in order to get back the correct results. In our Categories controller we would do (simplified):

Code:
public function index($brand, $type, $model, $productnr = NULL)
{
    $model      = str_replace('_', '/', $model);
    $model      = rawurldecode($model);
    $categories = $this->fetch->get_categories($brand, $type, $model, $productnr);
}

In the fetch model we use a NTLMSoapClient to connect to the Dynamics NAV webservice, as explained in this blogpost:

http://blogs.msdn.com/b/freddyk/archive/...m-php.aspx

If we use htmlentities or similar on the strings, the webservice will not return anything. This is however a big concern, since users could just input whatever they wanted in the URI and it would be rawurldecoded and send along. It must be noted that beforementioned Webservice is a Microsoft Dynamics NAV solution, which does some validation and throws Exceptions whenever something fails, although we have no way of knowing how and what is validated.

This is perhaps not the most clever solution, but we can't figure of any other way of doing this. Although it works it, it worries us. So the question is:

Is there a better and more secure way of archieving this, working with these obscure strings?

A little extra information about the shop:

For the webshop, we have extended the Codeigniter cart, and do not process any payments at site, but use a 3rd party payment gateway to handle that. We just store the temporary order with shipping address as serialized() data in db, and after a successful callback from the payment gateway we flag the order as paid, and send orderinfomation to the Dynamics NAV webservice where the "real" order will get processed. The webshop is on HTTPS. Users can have accounts to view their orders, the orders are also fetched from the Webservice, and not from db. We use Ion Auth for authentication in Codeigniter (http://benedmunds.com/ion_auth/)

I will be happy to elaborate anything, if something is unclear. Thank you!


Messages In This Thread
Security concerns with input in Codeigniter and SOAP webservice - by El Forum - 04-26-2013, 06:23 AM



Theme © iAndrew 2016 - Forum software by © MyBB