Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
shmk
Worker
Worker


Joined: Dec 21, 2004
Posts: 116

PostPosted: Sun Jan 13, 2008 4:24 am Reply with quote

What's the most secure PHP filter that allow users to insert links to sites or images in a forum without flaws in security? (regarding xss and csrf overall)
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sun Jan 13, 2008 4:33 am Reply with quote

It depends on what you actually mean by "without flaws in security".
Allowing external links is always going to be a risk.
Using BBCode is better than allowing straight html.
As an example, it is widely known that malicious code can be enbedded within a gif image file. Ensuring the server is using the correct MIME TYPE can help in this regard by ensuring the image is not 'executable'.
 
View user's profile Send private message Send e-mail
shmk
PostPosted: Tue Jan 15, 2008 8:11 am Reply with quote

At this time I'm using:
htmlentities(strip_tags($t),ENT_QUOTES);
before inserting $t in db, and

nl2br(strip_tags(html_entity_decode($t)));
after extraction from db and before output

These could help?

For including url and image I made 2 tags called [ url ] and [ img ] and 2 replace like these:

Code:


$text=preg_replace('/\[url=(http:\/\/[\w\#$%&~\/.\-;:=,?@\[\]+]*?)\](.*?)\[\/url\]/i',
'<a href="\\1">\\2</a>',$text);

$text=preg_replace('/\[img\](http:\/\/[\w\#$%&~\/.\-;:=,?@\[\]+]*?\.(gif|jpg|png))\[\/img\]/i',
'<img src="\\1"/>',$text);
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Wed Jan 16, 2008 4:07 pm Reply with quote

Unfortunately, allowing external image links is never a good idea. The problem is that the browser is in charge of going and requesting the image, not your PHP code. So, if an image src is pointing to an external site, YOU are responsible to ensure that YOUR users are not negatively impacted by an issue of that site being hacked or that image src being tampered with to go to somewhere else.

Unfortunately there are just so many ways to attack the image src that security experts actually recommend, upon submittal of the image, having your PHP go and retrieve the image (again, the method is VERY important as you do not want it to follow redirects, etc.) to your server in a temporary location, run specific "tests" on the file for validity, and then move that image file to its final "home" on your server for later "presentment".

But, you can see (hopefully) that this is no easy task. So, nothing is "full proof" security-wise and you have to determine to what level of risk you are willing to take. This is why any sort-of "attachment mod" or other form of image upload capability, just gets my head to spinning... Wink

If you are interested in learning a bit more about these types of exploits and what to do about them (although there is nothing fool-proof), you could pick up Ilia Alshanetsky's book on security (he's actually been a recent PHP release manager as well as has written several extensions now a part of PHP).

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
shmk
PostPosted: Thu Jan 17, 2008 4:41 am Reply with quote

To limit fake image risks I inserted a random token in every link that takes you to a "non-undo" action.

Do you thank that the filters above could block at least more common XSS ?
A XSS to get user cookies have to insert a jscript in the page or has other way too?
 
montego
PostPosted: Thu Jan 17, 2008 6:58 am Reply with quote

Get the book that I recommended and you will even see how strip_tags() will allow an attribute insertion. Sad

I don't understand what you mean by your first sentence. Sorry.

The risk isn't even in just the submittal of the link, but remember that the <img> tag has a src="http://......" attribute. Nothing says that a .jpg, for instance, has to really be an image... it can actually contain PHP code (yes, that is in fact true - it was either jpg or gif that had the exploit or both - cannot recall now). Now imagine the issues that would present....

I am just saying that you do what you can, but don't look for anyone to give you a 100% solution or even put their reputation on the line giving specific exploit prevention advice.
 
shmk
PostPosted: Thu Jan 17, 2008 8:33 am Reply with quote

Thanks for the suggestions.
I thought that image could insert redirect to other script not directly PHP code in the page flow.

What kind of measure use PHPBB to limit the problem?


Quote:
Ensuring the server is using the correct MIME TYPE can help in this regard by ensuring the image is not 'executable'.


How I can check this? Could you give me more infos about this?
 
Guardian2003
PostPosted: Thu Jan 17, 2008 10:08 am Reply with quote

If you Google for MIME TYPES I'm sure you will come up with a ton of information.
This is however only one 'layer' of protection. If security is a concern, don't allow remote image uploads.
I'm not trying to rebuff your question it is just that people have written whole books on this this and similar topics so tying to cram it all into one forum post is simply not possible and for every pieve of advice I could give you, there will be another 20 I didn't know about.
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Thu Jan 17, 2008 10:49 am Reply with quote

Why not just use phpBB's BBCode? The [img] tag? Or are you coding your own forum or something?

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
shmk
PostPosted: Thu Jan 17, 2008 11:28 am Reply with quote

Gremmie wrote:
Why not just use phpBB's BBCode? The [img] tag? Or are you coding your own forum or something?


I'm coding my own "something" Laughing

And because phpBB permit users to insert external img and url I thought there was a quite secure filter to implement Razz

If it's too risky I'll give it a cut... but because I'm not making a bank website maybe I can get some risks and hope in good fate Very Happy
 
Gremmie
PostPosted: Thu Jan 17, 2008 11:47 am Reply with quote

Ok, I would take a look at what they did with their BBCode tags as a starting point.
 
montego
PostPosted: Fri Jan 18, 2008 6:50 am Reply with quote

Just remember, the browser doesn't give a rip about BBCode. Its language is HTML and in order to have to display an image, it is using the <img> tag with a src attribute. So, NO, phpBB is not even 100% safe in this regards.

But, it doesn't seem to be a wide-spread issue given the difficulties around this specific "attack". I'm just using this thread as an opportunity to "enlighten" and plug the book that I had just completed reading.
 
Gremmie
PostPosted: Fri Jan 18, 2008 8:36 am Reply with quote

That's true, but phpBB with [img] does get a chance to analyze the URL first before converting it to an <img> tag. If it sees funny characters like ? that may indicate a script, it doesn't convert it to an <img> tag. However you are right, someone could still name a script something.jpg but for some reason we don't see this in the wild.
 
shmk
PostPosted: Fri Jan 18, 2008 9:47 am Reply with quote

Gremmie wrote:
That's true, but phpBB with [img] does get a chance to analyze the URL first before converting it to an <img> tag.


At least I analyze that ends with jpg|gif|png

Quote:
However you are right, someone could still name a script something.jpg but for some reason we don't see this in the wild.


You don't need to rename the script, sometime you simply need a redirect like this in a htaccess:

Code:
Redirect 302 /a.jpg http://mypoorsite.com/admin.php?danger
 
redhairz
Worker
Worker


Joined: Nov 17, 2006
Posts: 222

PostPosted: Sat Jan 19, 2008 7:03 pm Reply with quote

pardon me is it possible for hcaker to use Eg. mysite.com/module/forum/image/rank/5star.gif ..using the image string to hcak in? or something like this .themes/fisubice/forums/images/lang_english/icon_pm.gif

_________________
Jesus is Alive, He is our joy, be it good times or bad time. 
View user's profile Send private message
montego
PostPosted: Sat Jan 19, 2008 11:03 pm Reply with quote

If the web server is configured in a certain way, I believe that the answer is "yes". However, wouldn't these images be coming from YOUR web server? If so, most likely it is configured properly, no? Take a PHP script and rename it with a gif or jpg extension and see what your web server does with it.
 
shmk
PostPosted: Sun Jan 20, 2008 4:47 pm Reply with quote

redhairz wrote:
pardon me is it possible for hcaker to use Eg. mysite.com/module/forum/image/rank/5star.gif ..using the image string to hcak in? or something like this .themes/fisubice/forums/images/lang_english/icon_pm.gif


No, yours image are secure.
External images inserted by users on forum by tags could.
 
shmk
PostPosted: Mon Jan 21, 2008 5:08 am Reply with quote

Looking in phpbb code I saw that every tag is followed by the userid.

Code:
   $text = str_replace("[quote:$uid]", $bbcode_tpl['quote_open'], $text);

   $text = str_replace("[/quote:$uid]", $bbcode_tpl['quote_close'], $text);


Anyone know why of this?
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Jan 21, 2008 3:50 pm Reply with quote

I think its to differeniate between tags from various users, esp if you're quoting other people.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©