Page 1 of 1
Protecting Meta Redirect?
Posted: Tue Apr 28, 2009 10:30 pm
by JAB Creations
I'm curious if there are (and there likely are I can only presume) any attack methods directly correlating to meta redirect elements?
My PHP class has a CMS class that I store various things I need to work with such as base1, base2, section, and page variables. Here is a localhost example broken down...
http://localhost/Version%202.9.A.3/web/css3
$cms->base1 =
http://localhost
$cms->base2 = /Version%202.9.A.3/
$cms->section = web
$cms->page = css3
Echoed altogether...
Code: Select all
echo $cms->base1.$cms->base2.$cms->section.'/'.$cms->page
However I use the CMS class base variables for XHTML base element (makes using the exact same code in
both a local and live environment absolutely painless).
The following works though I'd like to plug any holes if they may exist...
Code: Select all
<meta content="4;url=<?php echo $_GET['url'];?>" http-equiv="refresh" />
I already use
mysql_real_escape_string for all client data ($_GET, $_POST, etc) though I'm curious if there is anything that this approach could still be susceptible to?
Re: Protecting Meta Redirect?
Posted: Wed Apr 29, 2009 6:26 pm
by kaisellgren
JAB Creations wrote:I'm curious if there are any attack methods directly correlating to meta redirect elements?
XSS.
JAB Creations wrote:Code: Select all
<meta content="4;url=<?php echo $_GET['url'];?>" http-equiv="refresh" />
That code is vulnerable to XSS.
You can't just pass a user supplied variable into the output just like that.
Re: Protecting Meta Redirect?
Posted: Wed Apr 29, 2009 8:40 pm
by JAB Creations
With the base element I'm able to do partial URL's however I presume I could prevent an XSS attack by using an absolute URL?
Re: Protecting Meta Redirect?
Posted: Thu Apr 30, 2009 2:38 am
by matthijs
Do a search for "output escaping" and htmlentities()
Good start:
http://shiflett.org/articles/cross-site-scripting
Re: Protecting Meta Redirect?
Posted: Thu Apr 30, 2009 7:35 am
by kaisellgren
No that is wrong. The function htmlentities() was not meant to protect XSS attacks. It is just an encoder. It may help you or it may not.
Code: Select all
$test = htmlentities($_GET['test'],ENT_QUOTES);
echo <<<HTML
<html>
<head>
<meta content="10;url=$test" http-equiv="refresh" />
</head>
<body>
...
</body>
</html>
HTML;
Now try:
.php?test=data:text/html;base64,PHNjcmlwdD5hbGVydCgnSkFCIENyZWF0aW9ucycpPC9zY3JpcHQ+
Re: Protecting Meta Redirect?
Posted: Thu Apr 30, 2009 8:48 am
by matthijs
Obviously you also need some input filtering if you allow random data inside that variables. I would use a whitelist of allowable vars
@kaisellgren, what is data:text/html;base64,PHNjcmlwdD5hbGVydCgnSkFCIENyZWF0aW9ucycpPC9zY3JpcHQ+ supposed to be doing?
Re: Protecting Meta Redirect?
Posted: Thu Apr 30, 2009 8:50 am
by kaisellgren
matthijs wrote:Obviously you also need some input filtering. I would use a whitelist of allowable vars
If you use whitelisting properly you do not need to encode the output in this case.
matthijs wrote:what is data:text/html;base64,PHNjcmlwdD5hbGVydCgnSkFCIENyZWF0aW9ucycpPC9zY3JpcHQ+ supposed to be doing?
A way to "bypass" your htmlentities() "protection".
Re: Protecting Meta Redirect?
Posted: Thu Apr 30, 2009 9:14 am
by matthijs
Would you care to explain exactly what you are implying about htmlentities. You make it sound like it is a silly function and isn't protecting anything, but I bet that is not what you mean.
As with most functions, it's about context. So please explain when and when not you'd use htmlentities. If I echo out a variable to html, I always use htmlentities.
Re: Protecting Meta Redirect?
Posted: Thu Apr 30, 2009 9:17 am
by kaisellgren
matthijs wrote:Would you care to explain exactly what you are implying about htmlentities. You make it sound like it is a silly function and isn't protecting anything, but I bet that is not what you mean.
No functions in PHP are silly. Only the way you use them may be.
matthijs wrote:So please explain when and when not you'd use htmlentities.
All it does is it encodes the data passed into it. It is not always enough to protect XSS attacks. For instance, if you "echo" a variable into an attribute value, using htmlentities() is not the right approach.