User forums > General (but related to Code::Blocks)

Is this maybe a security problem?

<< < (2/2)

hrkljus:

--- Quote from: oBFusCATed on February 11, 2016, 09:48:30 am ---Can a user find the problem by inspecting the project with a text editor or using cb's guis?

--- End quote ---

Yup it can be found, opening project.cbp in a text editor should be enough for a user to notice malicious commands both in project arguments and compiler options.


--- Quote from: raynebc on February 11, 2016, 06:42:09 pm ---Same risk somebody could get by running untrusted build scripts or makefiles?

--- End quote ---

Yea that's exactly what my friend said.


--- Quote from: yvesdm3000 on February 11, 2016, 08:06:26 pm ---And what about the compiled code? Once you execute it, it can also whatever the programmer wrote...

Yves

--- End quote ---

That's the thing with this approach, the source code can be an innocent Hello World program, but the malicious part is hiddent in project.cbp.

All in all I agree pretty much, looking at the Code::Blocks source code it doesn't seem that there's an easy way to fix this like just quoting something, so it may not be worth the effort.

MortenMacFly:
I am always surprised about were and how much criminal energy it put into...

Burt really: If we don't allow such we will strip important functionality from the IDE. I would assume that you could do similar things with any IDE out there.

So I agree 100% with dmoore:

--- Quote from: dmoore on February 11, 2016, 05:40:52 pm ---Expected behavior I would say. Aka, don't run projects from untrusted sources  :o

--- End quote ---

And no, I guess we won't do anything about it. Because we also cannot avoid in no way that stupid people will use C::B to write stupid programs.

BTW:  We do have a security layer for scripting though...

BlueHazzard:

--- Quote from: MortenMacFly on February 13, 2016, 11:08:50 pm ---BTW:  We do have a security layer for scripting though...

--- End quote ---
But it is not very secure... I found a lot wholes in it:
for example, you can not safe a file through the script api, but if you open an editor through scripts, and safe this editor you can write anything to disk, without any security intervention...
Of course this can be fixed, but c::b is a ide... it is made for programming, not to be a secure environment... I think it is the responsibility of the user to trust/untrust project/script sources...  Also the target group for a exploit is quite small...
Don't understand me wrong, security is one of the most important things today, but a programming ide should (and can) not be the frontier of defense...

greetings

raynebc:
Not running the IDE with administrator privileges will also help limit anything a destructive build script/project could do.

Navigation

[0] Message Index

[*] Previous page

Go to full version