Open-AudIT

What's on your network?
It is currently Fri Apr 27, 2018 4:20 pm

All times are UTC + 10 hours




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
 Post subject: [help] [solved] XML hell
PostPosted: Sat Jan 26, 2013 1:35 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
So we have a section of software in the XML that appears as below.
The problem is that this makes the PHP error, complaining about the software_uninstall line.
I have narrowed it doen to the + symbol (if I remove that, it parses), but if anyone can tell me why it would be appreciated.
The string is enclosed in <!CDATA{ and }}> tags, so everything inside should be ignored.
I have other strings that contain the = symbol and they work fine.
Even in other software_uninstall strings.
I'm thinking it's some combination of the position of the " and the =. I don't have that combination anywhere else...
Any help much appreciated.

FWIW - I may simply remove this from the audit script (the software_uninstall) because even though it is retrieved and stored, it's not actually displayed anywhere in the web front end that I can see.

Code:
      <package>
         <software_name>Service Pack 1 for SQL Server 2008 (KB968369)</software_name>
         <software_version>10.1.2531.0</software_version>
         <software_location></software_location>
         <software_uninstall><![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Action&eq;RemovePatch /AllInstances]]></software_uninstall>
         <software_install_date>20101215</software_install_date>
         <software_publisher>Microsoft Corporation</software_publisher>
         <software_install_source></software_install_source>
         <software_system_component></software_system_component>
         <software_url></software_url>
         <software_email></software_email>
         <software_comment></software_comment>
         <software_code_base></software_code_base>
         <software_status></software_status>
         <software_installed_by></software_installed_by>
         <software_installed_on></software_installed_on>
      </package>

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
 
 Post subject: Re: XML Help
PostPosted: Sat Jan 26, 2013 4:10 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Is the CDATA stuff new for escaping? Perhaps you need to change the parsing a bit?

Code:
$xml = new SimpleXMLElement($xml_input, LIBXML_NOCDATA);


Top
 Profile  
 
 Post subject: Re: XML Help
PostPosted: Sun Jan 27, 2013 3:55 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Although I'm not getting any errors either way with PHP 5.3.2 or 5.4.11.

My test case using the OA code:
Code:
<?php

$input = '      <package>
         <software_location></software_location>
         <software_uninstall><![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Action=RemovePatch /AllInstances]]></software_uninstall>
         <software_install_date>20101215</software_install_date>
      </package>';
    
# and a final convert
$xml_input = iconv("UTF-8", "UTF-8//TRANSLIT", $input);      

try {
   $xml = new SimpleXMLElement($xml_input, LIBXML_NOCDATA);
   # $xml = new SimpleXMLElement($xml_input);
   print_r($xml);
} catch (Exception $e) {
   echo "Invalid XML input";
   exit;
}


Without LIBXML_NOCDATA:
Code:
C:\Temp>php test.php
SimpleXMLElement Object
(
    [software_location] => SimpleXMLElement Object
        (
        )

    [software_uninstall] => SimpleXMLElement Object
        (
        )

    [software_install_date] => 20101215
)


With LIBXML_NOCDATA:
Code:
C:\Temp>php test.php
SimpleXMLElement Object
(
    [software_location] => SimpleXMLElement Object
        (
        )

    [software_uninstall] => "c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack
\setup.exe" /Action=RemovePatch /AllInstances
    [software_install_date] => 20101215
)


Top
 Profile  
 
 Post subject: Re: XML Help
PostPosted: Wed Jan 30, 2013 3:25 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Nothing wrong with the XML stuff. CI XSS filter is clobbering the input. Some brute force debugging output below.

with $config['global_xss_filtering'] = FALSE
Code:
<a href='http://openaudit2/index.php/system'>Back to input page</a><br />
<a href='http://openaudit2/index.php'>Front Page</a><br />
      <package>
         <software_name>Service Pack 1 for SQL Server 2008 (KB968369)</software_name>
         <software_version>10.1.2531.0</software_version>
         <software_location></software_location>
         <software_uninstall><![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Action=RemovePatch /AllInstances]]></software_uninstall>
         <software_install_date>20101215</software_install_date>
         <software_publisher>Microsoft Corporation</software_publisher>
         <software_install_source></software_install_source>
         <software_system_component></software_system_component>
         <software_url></software_url>
         <software_email></software_email>
         <software_comment></software_comment>
         <software_code_base></software_code_base>
         <software_status></software_status>
         <software_installed_by></software_installed_by>
         <software_installed_on></software_installed_on>
      </package><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">

<h4>A PHP Error was encountered</h4>


with $config['global_xss_filtering'] = TRUE
Code:
<a href='http://openaudit2/index.php/system'>Back to input page</a><br />
<a href='http://openaudit2/index.php'>Front Page</a><br />
  <package>
   <software_name>Service Pack 1 for SQL Server 2008 (KB968369)</software_name>
   <software_version>10.1.2531.0</software_version>
   <software_location></software_location>
   <software uninstall>&lt;![CDATA["c:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB968369\ServicePack\setup.exe" /Acti /AllInstances]]></software_uninstall>
   <software_install_date>20101215</software_install_date>
   <software_publisher>Microsoft Corporation</software_publisher>
   <software_install_source></software_install_source>
   <software_system_component></software_system_component>
   <software_url></software_url>
   <software_email></software_email>
   <software_comment></software_comment>
   <software_code_base></software_code_base>
   <software_status></software_status>
   <software_installed_by></software_installed_by>
   <software_installed_on></software_installed_on>
  </package><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">

<h4>A PHP Error was encountered</h4>


Top
 Profile  
 
 Post subject: Re: XML Help
PostPosted: Wed Jan 30, 2013 9:41 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
Even if I disable the XSS config item, I still get errors.
When you look at the XML as accepted by the form, the PHP (somewhere) is royally screwing it up. <software_uninstall> becomes <software uninstall> for just one example. We weren't using this attribute anyway, so for now at least I have removed the data from the VBscript (the tags are still there, they're just empty).

We can continue to hack on this, but for now I've released beta 8.5 that "fixes" this.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
 
 Post subject: Re: XML Help
PostPosted: Thu Jan 31, 2013 2:46 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
I have no trouble importing the computer10.xml example file when I set global_xss_filtering = FALSE in the config.php file. It does not work when I use your b8.5 code which sets the variable in the system.php controller index().


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group