Link in forums

Worker Joined: Dec 21, 2004 Posts: 116

What's the most secure PHP filter that allow users to insert links to sites or images in a forum without flaws in security? (regarding xss and csrf overall)

Posted: Sun Jan 13, 2008 4:33 am

It depends on what you actually mean by "without flaws in security".
Allowing external links is always going to be a risk.
Using BBCode is better than allowing straight html.
As an example, it is widely known that malicious code can be enbedded within a gif image file. Ensuring the server is using the correct MIME TYPE can help in this regard by ensuring the image is not 'executable'.

Posted: Tue Jan 15, 2008 8:11 am

At this time I'm using:
htmlentities(strip_tags($t),ENT_QUOTES);
before inserting $t in db, and

nl2br(strip_tags(html_entity_decode($t)));
after extraction from db and before output

These could help?

For including url and image I made 2 tags called [ url ] and [ img ] and 2 replace like these:

Code:




$text=preg_replace('/\[url=(http:\/\/[\w\#$%&~\/.\-;:=,?@\[\]+]*?)\](.*?)\[\/url\]/i',


'<a href="\\1">\\2</a>',$text);





$text=preg_replace('/\[img\](http:\/\/[\w\#$%&~\/.\-;:=,?@\[\]+]*?\.(gif|jpg|png))\[\/img\]/i',


'<img src="\\1"/>',$text);

Posted: Wed Jan 16, 2008 4:07 pm

Unfortunately, allowing external image links is never a good idea. The problem is that the browser is in charge of going and requesting the image, not your PHP code. So, if an image src is pointing to an external site, YOU are responsible to ensure that YOUR users are not negatively impacted by an issue of that site being hacked or that image src being tampered with to go to somewhere else.

Unfortunately there are just so many ways to attack the image src that security experts actually recommend, upon submittal of the image, having your PHP go and retrieve the image (again, the method is VERY important as you do not want it to follow redirects, etc.) to your server in a temporary location, run specific "tests" on the file for validity, and then move that image file to its final "home" on your server for later "presentment".

But, you can see (hopefully) that this is no easy task. So, nothing is "full proof" security-wise and you have to determine to what level of risk you are willing to take. This is why any sort-of "attachment mod" or other form of image upload capability, just gets my head to spinning... Wink

If you are interested in learning a bit more about these types of exploits and what to do about them (although there is nothing fool-proof), you could pick up Ilia Alshanetsky's book on security (he's actually been a recent PHP release manager as well as has written several extensions now a part of PHP).

Posted: Thu Jan 17, 2008 4:41 am

To limit fake image risks I inserted a random token in every link that takes you to a "non-undo" action.

Do you thank that the filters above could block at least more common XSS ?
A XSS to get user cookies have to insert a jscript in the page or has other way too?

Posted: Thu Jan 17, 2008 6:58 am

Get the book that I recommended and you will even see how strip_tags() will allow an attribute insertion. Sad

I don't understand what you mean by your first sentence. Sorry.

The risk isn't even in just the submittal of the link, but remember that the <img> tag has a src="http://......" attribute. Nothing says that a .jpg, for instance, has to really be an image... it can actually contain PHP code (yes, that is in fact true - it was either jpg or gif that had the exploit or both - cannot recall now). Now imagine the issues that would present....

I am just saying that you do what you can, but don't look for anyone to give you a 100% solution or even put their reputation on the line giving specific exploit prevention advice.

Posted: Thu Jan 17, 2008 8:33 am

Thanks for the suggestions.
I thought that image could insert redirect to other script not directly PHP code in the page flow.

What kind of measure use PHPBB to limit the problem?

Quote:

Ensuring the server is using the correct MIME TYPE can help in this regard by ensuring the image is not 'executable'.

How I can check this? Could you give me more infos about this?

Posted: Thu Jan 17, 2008 10:08 am

If you Google for MIME TYPES I'm sure you will come up with a ton of information.
This is however only one 'layer' of protection. If security is a concern, don't allow remote image uploads.
I'm not trying to rebuff your question it is just that people have written whole books on this this and similar topics so tying to cram it all into one forum post is simply not possible and for every pieve of advice I could give you, there will be another 20 I didn't know about.

Posted: Thu Jan 17, 2008 10:49 am

Why not just use phpBB's BBCode? The [img] tag? Or are you coding your own forum or something?

Posted: Thu Jan 17, 2008 11:28 am

Gremmie wrote:

Why not just use phpBB's BBCode? The [img] tag? Or are you coding your own forum or something?

I'm coding my own "something" Laughing

And because phpBB permit users to insert external img and url I thought there was a quite secure filter to implement Razz

If it's too risky I'll give it a cut... but because I'm not making a bank website maybe I can get some risks and hope in good fate Very Happy

Posted: Thu Jan 17, 2008 11:47 am

Ok, I would take a look at what they did with their BBCode tags as a starting point.

Posted: Fri Jan 18, 2008 6:50 am

Just remember, the browser doesn't give a rip about BBCode. Its language is HTML and in order to have to display an image, it is using the <img> tag with a src attribute. So, NO, phpBB is not even 100% safe in this regards.

But, it doesn't seem to be a wide-spread issue given the difficulties around this specific "attack". I'm just using this thread as an opportunity to "enlighten" and plug the book that I had just completed reading.

Posted: Fri Jan 18, 2008 8:36 am

That's true, but phpBB with [img] does get a chance to analyze the URL first before converting it to an <img> tag. If it sees funny characters like ? that may indicate a script, it doesn't convert it to an <img> tag. However you are right, someone could still name a script something.jpg but for some reason we don't see this in the wild.

Posted: Fri Jan 18, 2008 9:47 am

Gremmie wrote:

That's true, but phpBB with [img] does get a chance to analyze the URL first before converting it to an <img> tag.

At least I analyze that ends with jpg|gif|png

Quote:

However you are right, someone could still name a script something.jpg but for some reason we don't see this in the wild.

You don't need to rename the script, sometime you simply need a redirect like this in a htaccess:

Code:

Redirect 302 /a.jpg http://mypoorsite.com/admin.php?danger

Worker Joined: Nov 17, 2006 Posts: 222

pardon me is it possible for hcaker to use Eg. mysite.com/module/forum/image/rank/5star.gif ..using the image string to hcak in? or something like this .themes/fisubice/forums/images/lang_english/icon_pm.gif

Posted: Sat Jan 19, 2008 11:03 pm

If the web server is configured in a certain way, I believe that the answer is "yes". However, wouldn't these images be coming from YOUR web server? If so, most likely it is configured properly, no? Take a PHP script and rename it with a gif or jpg extension and see what your web server does with it.

Posted: Sun Jan 20, 2008 4:47 pm

redhairz wrote:

pardon me is it possible for hcaker to use Eg. mysite.com/module/forum/image/rank/5star.gif ..using the image string to hcak in? or something like this .themes/fisubice/forums/images/lang_english/icon_pm.gif

No, yours image are secure.
External images inserted by users on forum by tags could.

Posted: Mon Jan 21, 2008 5:08 am

Looking in phpbb code I saw that every tag is followed by the userid.

Code:

   $text = str_replace("[quote:$uid]", $bbcode_tpl['quote_open'], $text);


   $text = str_replace("[/quote:$uid]", $bbcode_tpl['quote_close'], $text);

Anyone know why of this?

Posted: Mon Jan 21, 2008 3:50 pm

I think its to differeniate between tags from various users, esp if you're quoting other people.