Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Wed Mar 26, 2008 5:06 pm Reply with quote

Greetings All,
Is there any known security issue with PHPbb and allowing XML uploads?

Thank You

Dawg
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Sat Mar 29, 2008 7:29 am Reply with quote

Dawg, I am not familiar with XML uploads in terms of phpBB. I take it this is some kind of mod?

But, bottom line really is that any script which allows for the uploading of a file or that receives its input from a remote location (heck, even locally can be an issue if compromised already) is a potential opening. The all depends upon how the input is filtered and how it is going to be used. Unfortunately, that is left to each of us to worry about and make certain that we know exactly what we are putting on our systems.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Dawg
PostPosted: Sat Mar 29, 2008 7:42 am Reply with quote

Montego,
I is not a MOD...it is a file type (Like you didn't know that...LOL) This is actually a .gpx file but .gpx is nothing more than xml with the extention changed. It is a file type for GPS data.

I use the attachment MOD but I have it squirreled into just jpegs and pdfs, my question is if I it is a BIG NONO to alloow xml. I know anything can be exploited...if did not know if there was a know one for this file type.

Dawg
 
montego
PostPosted: Sat Mar 29, 2008 7:46 am Reply with quote

Dawg, actually, I am no phpBB expert, nor am I familiar with the attachment mod. Sorry, but that was all Evaders. He's the man...

Well, it is interesting because even a PDF can be exploited (as well as a gif)... I will not discuss how or why in the open. I would say, make sure that there is validation on the XML file to make sure it is truly valid... might even want to force a validation against its DTD even. I just don't know what is built into that attachment mod.
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sat Mar 29, 2008 9:48 am Reply with quote

XML in and by itself is harmless of course, it is just a text file. But as always, someone could simply add a ".xml" to the end of an executable or shell script, and if they can somehow get the execute bit set on the file and execute it under the right circumstances you might have some trouble.

I would say you are reasonably safe if the upload script makes sure it has a .xml extension and changes the permissions on the file to something benign after uploading it.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
montego
PostPosted: Sat Mar 29, 2008 10:15 am Reply with quote

Ah, young Skywalker... it all depends upon how its "used". HTML is essentially XML with a specific DTD right? XML also has a DOM, just as HTML does, obviously, since HTML is a "child" of XML.

Read the book that I sent the link on yesterday and you will have a fresh outlook on the new life we lead...

It always boils down to "Know thy input", "Know thy response to thy input", and then "Protect thy site and others with thy output".
 
Gremmie
PostPosted: Sat Mar 29, 2008 10:31 am Reply with quote

HTML is actually a child of SGML. XHTML is an attempt to derive a variant of HTML with a more strict XML syntax.

I work with XML every day at work. I also wrote my own upload script that plugs into the Downloads module. Smile

The PHP Pro Security book has a list of things you can do with your upload scripts to help make them safer.
 
montego
PostPosted: Sat Mar 29, 2008 10:56 am Reply with quote

What I have said still stands. It depends upon what you then do with the file. Read the book... Wink

Within your work, do you have complete control over the inputs and outputs? If you are working on embedded systems, for the most part, they have well-defined interfaces. You are expecting XML and that is what you are going to get AND most likely it will also be structured as you expect.
 
Gremmie
PostPosted: Sat Mar 29, 2008 11:51 am Reply with quote

Everyone agrees that allowing uploads is risky. However you may be willing to take this risk because uploads are important for your website community.

There isn't anything inherently evil about XML files being an allowed thing to upload. It is no more dangerous than any other file type if you handle it properly. As montego said, your upload script should attempt, as much as possible, to verify the file is what it claims to be.

It may not be practical to easily verify that the XML files match the particular DTD that Dawg is using. Make sure the file gets its permissions changed and gets moved somewhere out of the original upload directory. There is a checklist of things you can do to minimize risk for uploads in that PHP Pro Security book.

I didn't mean to get cranky; I don't respond well to the "grasshopper thing" (edit: sorry, I see it was actually Skywalker Embarassed ) . Its a personal problem. I'm sorry. I studied several PHP upload scripts and read the above book, and even wrote an upload script that implements the ideas. I use XML files at work. And yes you are right, we control everything about the XML in our environment. In a web environment you cannot do this, thus you have to be extremely cautious.

We often harp about not allowing uploads here on this site. However there are 1000's of scripts, wikis, CMS's etc that do, because there is a need for it. And they had exploits and people had to patch them. But it can be done with a reasonable amount of safety.
 
Gremmie
PostPosted: Sat Mar 29, 2008 12:01 pm Reply with quote

Getting back to Dawg's question. What phpBB function (forum mod?) are you talking about? The attachment mod? Hopefully it has been vetted for security flaws and I would not expect it to have issues with XML files. However I haven't looked at it and thus probably should not have responded to this thread at all.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©