PHP Security Issue!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
IronicSoul
Forum Newbie
Posts: 2
Joined: Sat Jun 14, 2008 1:55 pm

PHP Security Issue!

Post by IronicSoul »

We have a website that allows our users to add html to their profile's and such until some person thought they were real funny and posting this:

<iframe src=http://lancxeon.com/jack****.html</iframe>

On their profile, in return this contained Javascript on that remote page that acted on our site and our users in a bad way.

The link above no longer contains the bad code and is resolved. We would really like to know how to sensor out words/html tags that can cause XSS that our system does not normally detect as bad. Here is a snip lit of our user_class file:

Code: Select all

 
              // DECODE TO MAKE HTML TAGS FOR PROFILE FIELDS VALID
              $field_value_profile = htmlspecialchars_decode($field_value_profile, ENT_QUOTES);
 
            // FORMAT VALUE FOR FORM
            } else {
              if($field_info[field_type] == 2) { $field_value = str_replace("<br>", "\r\n",  $field_value); }
            }
                break;
I have read ALOT on the php page on usage of htmlspecialchars and str_replace, but nothing will truly get rid of the code from being used, or at least being html-safe.

Any help I would greatly appreciate it!
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: PHP Security Issue!

Post by VirtuosiMedia »

Wouldn't the strip tags function work?
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Security Issue!

Post by califdon »

I'm definitely not a web page security expert, but I think if you allow your users to use HTML tags, you will have to get very specific about which tags you will allow. You can write a function to either replace certain known "dangerous" tags with "safe" ones, or you can detect "dangerous" tags and warn the user that they must remove them. You should then have a Help pop-up or something, where they can see what tags are allowed.
IronicSoul
Forum Newbie
Posts: 2
Joined: Sat Jun 14, 2008 1:55 pm

Re: PHP Security Issue!

Post by IronicSoul »

Alright, problem is I know very little about PHP so I dont know how im going to do this..
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: PHP Security Issue!

Post by Eran »

Try using HTML Purifier, an excellent package written precisely for this issue.
http://htmlpurifier.org/
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Security Issue!

Post by califdon »

Thanks, pytrin, that's an interesting library, but it appears that it supports only specific frameworks, and this new PHP user is unlikely to know how to use it. (Neither do I, to be honest.)

IronicSoul: There's really no way to simplify the task so that you can merely substitute a little code and solve your problem. You will need to do one of two things:
  1. Find someone who can rewrite your code to screen for unacceptable html tags or use a programming framework and a package such as pytrin referenced; or
  2. Prevent your users from using any HTML tags in their profiles.
To do the second thing above, you should have a warning to users on the page with the form, telling them not to use HTML tags, then you could validate the $field_value_profile variable using code like this:

Code: Select all

if (strpos("<",$field_value_profile) > 0) {
    // send them back to a page with an error message
} else {
    // continue processing their input
}
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: PHP Security Issue!

Post by Eran »

What do you mean works only with other frameworks? This is an independent library... Why reinvent the wheel when you can have a good solution that evolved through community feedback? Isn't that what open-source is all about?
Installing it rather easy... http://htmlpurifier.org/live/INSTALL
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Security Issue!

Post by califdon »

pytrin wrote:What do you mean works only with other frameworks? This is an independent library... Why reinvent the wheel when you can have a good solution that evolved through community feedback? Isn't that what open-source is all about?
Installing it rather easy... http://htmlpurifier.org/live/INSTALL
Oops! I looked at the Plugins paragraph on their web page and made the (wrong) assumption that it only worked with those frameworks. Thanks for the correction.
Post Reply