Open-AudIT
https://www.open-audit.org/phpBB3/

[help] [solved] XML hell
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6006
Page 1 of 1

Author:  Mark [ Sat Jan 26, 2013 1:35 pm ]
Post subject:  [help] [solved] XML hell

So we have a section of software in the XML that appears as below.
The problem is that this makes the PHP error, complaining about the software_uninstall line.
I have narrowed it doen to the + symbol (if I remove that, it parses), but if anyone can tell me why it would be appreciated.
The string is enclosed in <!CDATA{ and }}> tags, so everything inside should be ignored.
I have other strings that contain the = symbol and they work fine.
Even in other software_uninstall strings.
I'm thinking it's some combination of the position of the " and the =. I don't have that combination anywhere else...
Any help much appreciated.

FWIW - I may simply remove this from the audit script (the software_uninstall) because even though it is retrieved and stored, it's not actually displayed anywhere in the web front end that I can see.

Code:
      <package>
         <software_name>Service Pack 1 for SQL Server 2008 (KB968369)</software_name>
         <software_version>10.1.2531.0</software_version>
         <software_location></software_location>
         <software_uninstall><![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Action&eq;RemovePatch /AllInstances]]></software_uninstall>
         <software_install_date>20101215</software_install_date>
         <software_publisher>Microsoft Corporation</software_publisher>
         <software_install_source></software_install_source>
         <software_system_component></software_system_component>
         <software_url></software_url>
         <software_email></software_email>
         <software_comment></software_comment>
         <software_code_base></software_code_base>
         <software_status></software_status>
         <software_installed_by></software_installed_by>
         <software_installed_on></software_installed_on>
      </package>

Author:  jpa [ Sat Jan 26, 2013 4:10 pm ]
Post subject:  Re: XML Help

Is the CDATA stuff new for escaping? Perhaps you need to change the parsing a bit?

Code:
$xml = new SimpleXMLElement($xml_input, LIBXML_NOCDATA);

Author:  jpa [ Sun Jan 27, 2013 3:55 pm ]
Post subject:  Re: XML Help

Although I'm not getting any errors either way with PHP 5.3.2 or 5.4.11.

My test case using the OA code:
Code:
<?php

$input = '      <package>
         <software_location></software_location>
         <software_uninstall><![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Action=RemovePatch /AllInstances]]></software_uninstall>
         <software_install_date>20101215</software_install_date>
      </package>';
    
# and a final convert
$xml_input = iconv("UTF-8", "UTF-8//TRANSLIT", $input);      

try {
   $xml = new SimpleXMLElement($xml_input, LIBXML_NOCDATA);
   # $xml = new SimpleXMLElement($xml_input);
   print_r($xml);
} catch (Exception $e) {
   echo "Invalid XML input";
   exit;
}


Without LIBXML_NOCDATA:
Code:
C:\Temp>php test.php
SimpleXMLElement Object
(
    [software_location] => SimpleXMLElement Object
        (
        )

    [software_uninstall] => SimpleXMLElement Object
        (
        )

    [software_install_date] => 20101215
)


With LIBXML_NOCDATA:
Code:
C:\Temp>php test.php
SimpleXMLElement Object
(
    [software_location] => SimpleXMLElement Object
        (
        )

    [software_uninstall] => "c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack
\setup.exe" /Action=RemovePatch /AllInstances
    [software_install_date] => 20101215
)

Author:  jpa [ Wed Jan 30, 2013 3:25 am ]
Post subject:  Re: XML Help

Nothing wrong with the XML stuff. CI XSS filter is clobbering the input. Some brute force debugging output below.

with $config['global_xss_filtering'] = FALSE
Code:
<a href='http://openaudit2/index.php/system'>Back to input page</a><br />
<a href='http://openaudit2/index.php'>Front Page</a><br />
      <package>
         <software_name>Service Pack 1 for SQL Server 2008 (KB968369)</software_name>
         <software_version>10.1.2531.0</software_version>
         <software_location></software_location>
         <software_uninstall><![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Action=RemovePatch /AllInstances]]></software_uninstall>
         <software_install_date>20101215</software_install_date>
         <software_publisher>Microsoft Corporation</software_publisher>
         <software_install_source></software_install_source>
         <software_system_component></software_system_component>
         <software_url></software_url>
         <software_email></software_email>
         <software_comment></software_comment>
         <software_code_base></software_code_base>
         <software_status></software_status>
         <software_installed_by></software_installed_by>
         <software_installed_on></software_installed_on>
      </package><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">

<h4>A PHP Error was encountered</h4>


with $config['global_xss_filtering'] = TRUE
Code:
<a href='http://openaudit2/index.php/system'>Back to input page</a><br />
<a href='http://openaudit2/index.php'>Front Page</a><br />
  <package>
   <software_name>Service Pack 1 for SQL Server 2008 (KB968369)</software_name>
   <software_version>10.1.2531.0</software_version>
   <software_location></software_location>
   <software uninstall>&lt;![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Acti /AllInstances]]></software_uninstall>
   <software_install_date>20101215</software_install_date>
   <software_publisher>Microsoft Corporation</software_publisher>
   <software_install_source></software_install_source>
   <software_system_component></software_system_component>
   <software_url></software_url>
   <software_email></software_email>
   <software_comment></software_comment>
   <software_code_base></software_code_base>
   <software_status></software_status>
   <software_installed_by></software_installed_by>
   <software_installed_on></software_installed_on>
  </package><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">

<h4>A PHP Error was encountered</h4>

Author:  Mark [ Wed Jan 30, 2013 9:41 pm ]
Post subject:  Re: XML Help

Even if I disable the XSS config item, I still get errors.
When you look at the XML as accepted by the form, the PHP (somewhere) is royally screwing it up. <software_uninstall> becomes <software uninstall> for just one example. We weren't using this attribute anyway, so for now at least I have removed the data from the VBscript (the tags are still there, they're just empty).

We can continue to hack on this, but for now I've released beta 8.5 that "fixes" this.

Author:  jpa [ Thu Jan 31, 2013 2:46 am ]
Post subject:  Re: XML Help

I have no trouble importing the computer10.xml example file when I set global_xss_filtering = FALSE in the config.php file. It does not work when I use your b8.5 code which sets the variable in the system.php controller index().

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/