Pattern Library Security Vunerability

If you’re running a version of the ALA pattern library that’s more than a few weeks old on a public server, please update it right away. The script that powers the navigation in the pattern library was found to have a pretty glaring security issue that would potentially allow read access to any file on a public webserver, even outside of the web root. If you’re running the pattern library locally there’s nothing to worry about—but you should pull the latest from the repository just the same.

To view the patterns in isolation, a small PHP script checks for a path variable in the URL then uses include() to pull a snippet of code on the page. If that variable isn’t present, all the patterns are rendered instead.

Unfortunately, where this pattern library script had really only been used on internal projects, it operated on a certain level of trust—whatever was passed in that path variable would be included on the page, without restriction or filtering. This meant that a path pointing outside of the pattern library root—or even the web server’s public root—could be rendered on a public page. Permissions settings aside, this meant the potential for public access to any file on a server hosting the pattern library.

This issue has since been resolved, and any inputs thoroughly sanitized. We’re now ensuring that special characters are escaped, that the path variable can’t point to any parent directory, and that the file being included has an .html extension.

In terms of lines of code, this was a very small issue—resolved in about fifteen minutes, if even that. In terms of security impact, it meant largely unrestricted access to any file on any public-facing server that hosted the pattern library—a serious issue.

The lesson here is to always sanitize your inputs—even in code that isn’t meant to be released to the public, just in case.

Thanks to @linssen for pointing the issue out to us.

  • By The fine folks at A List Apart
  • Posted in Uncategorized
  • Tagged ALA, PHP, URL
  • Translator

  • Recent Articles

    • ‘Destiny’ Fans Create Weapon Replicas & Miniatures Using 3D Printer
    • HTC One M8 on Verizon Android 4.4.4 update appears
    • Alien Isolation Corporate Lockdown DLC Content Launches Next Week
    • Halo: Nightfall Official Trailer
    • LG G Watch R Lands In The UK Tomorrow
    • 27″ iMac w/ 5K Display Now Available for Pre-Order at B&H
    • Super Small IMUduino Arduino Leonardo Powered Board (video)
    • Mayoral race heats up with new endorsements, donations
    • Sony Xperia Z3 Smartphone Lands In Japan
    • Study Finds 40% Of Adults Have Experienced Online Harassment
    • Watch PK First Official Trailer, Aamir Khan’s new movie
    • Goodwell’s Smart Toothbrush Seeks Crowdfunding To Become A Reality
    • Smartphone Controlled Bionic Bird Hits Indiegogo (video)
    • Scarlett Johansson getting $10 million for Suicide Squad: Reports
    • Watch First ‘Halo 5: Guardians’ Multiplayer Footage Next Month
    • Secure Messaging App Telegram Adds Usernames And Snapchat-Like Hold-To-View For Media
    • Ford Announces New Pre-Collision Technology For Future Cars (Video)
    • iOS 8.1 reviews for iPhone 5 and 5S
    • Google Hangouts Android App Updated To v2.4 Enbales Voice Call Credit Display And More
    • Apple To Build 25 More Apple Stores In China