Protecting Meta Redirect?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Protecting Meta Redirect?

Post by JAB Creations »

I'm curious if there are (and there likely are I can only presume) any attack methods directly correlating to meta redirect elements?

My PHP class has a CMS class that I store various things I need to work with such as base1, base2, section, and page variables. Here is a localhost example broken down...

http://localhost/Version%202.9.A.3/web/css3
$cms->base1 = http://localhost
$cms->base2 = /Version%202.9.A.3/
$cms->section = web
$cms->page = css3

Echoed altogether...

Code: Select all

echo $cms->base1.$cms->base2.$cms->section.'/'.$cms->page
However I use the CMS class base variables for XHTML base element (makes using the exact same code in both a local and live environment absolutely painless).

The following works though I'd like to plug any holes if they may exist...

Code: Select all

<meta content="4;url=<?php echo $_GET['url'];?>" http-equiv="refresh" />
I already use mysql_real_escape_string for all client data ($_GET, $_POST, etc) though I'm curious if there is anything that this approach could still be susceptible to?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Protecting Meta Redirect?

Post by kaisellgren »

JAB Creations wrote:I'm curious if there are any attack methods directly correlating to meta redirect elements?
XSS.
JAB Creations wrote:

Code: Select all

<meta content="4;url=<?php echo $_GET['url'];?>" http-equiv="refresh" />
That code is vulnerable to XSS.

You can't just pass a user supplied variable into the output just like that.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Protecting Meta Redirect?

Post by JAB Creations »

With the base element I'm able to do partial URL's however I presume I could prevent an XSS attack by using an absolute URL?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Protecting Meta Redirect?

Post by matthijs »

Do a search for "output escaping" and htmlentities()

Good start:
http://shiflett.org/articles/cross-site-scripting
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Protecting Meta Redirect?

Post by kaisellgren »

No that is wrong. The function htmlentities() was not meant to protect XSS attacks. It is just an encoder. It may help you or it may not.

Code: Select all

$test = htmlentities($_GET['test'],ENT_QUOTES);
echo <<<HTML
<html>
<head>
<meta content="10;url=$test" http-equiv="refresh" />
</head>
<body>
...
</body>
</html>
HTML;
Now try:
.php?test=data:text/html;base64,PHNjcmlwdD5hbGVydCgnSkFCIENyZWF0aW9ucycpPC9zY3JpcHQ+
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Protecting Meta Redirect?

Post by matthijs »

Obviously you also need some input filtering if you allow random data inside that variables. I would use a whitelist of allowable vars

@kaisellgren, what is data:text/html;base64,PHNjcmlwdD5hbGVydCgnSkFCIENyZWF0aW9ucycpPC9zY3JpcHQ+ supposed to be doing?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Protecting Meta Redirect?

Post by kaisellgren »

matthijs wrote:Obviously you also need some input filtering. I would use a whitelist of allowable vars
If you use whitelisting properly you do not need to encode the output in this case.
matthijs wrote:what is data:text/html;base64,PHNjcmlwdD5hbGVydCgnSkFCIENyZWF0aW9ucycpPC9zY3JpcHQ+ supposed to be doing?
A way to "bypass" your htmlentities() "protection".
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Protecting Meta Redirect?

Post by matthijs »

Would you care to explain exactly what you are implying about htmlentities. You make it sound like it is a silly function and isn't protecting anything, but I bet that is not what you mean.

As with most functions, it's about context. So please explain when and when not you'd use htmlentities. If I echo out a variable to html, I always use htmlentities.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Protecting Meta Redirect?

Post by kaisellgren »

matthijs wrote:Would you care to explain exactly what you are implying about htmlentities. You make it sound like it is a silly function and isn't protecting anything, but I bet that is not what you mean.
No functions in PHP are silly. Only the way you use them may be.
matthijs wrote:So please explain when and when not you'd use htmlentities.
All it does is it encodes the data passed into it. It is not always enough to protect XSS attacks. For instance, if you "echo" a variable into an attribute value, using htmlentities() is not the right approach.
Post Reply