SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)

    Preventing Script Injection via BBcode

    I'm trying to stop users from doing something like this:

    Code:
    [ I M G ]http://www.mysitename.com/logout.php [/imge]
    or stuff like;

    Code:
     [I M G ]http://www.hacker.com/freehacks[/imge]
    (the bbcode is normal img [] tag, i just had to do the above because vb was showing it up blank)

    I currently do this:

    PHP Code:

    function isImage($matches) {
    $im $matches['1'];
    //Make sure $im is an image and not some script
    if(script) {
    $re"bad code";
    } else {
    $re "<img src='".$im."' style='border:0px;'>";
    }
    return 
    $re;
    }

    function 
    bbcode($text) {
    $text preg_replace_callback("'/\[img\](.*?)\[\/img\]/is'","isImage",$text);

    So what I'm trying to do is find some kind of way to validate the input between the [img] tags. The isImage function should do this, I just have no clue on how to do it. I thought about getting the extention of the url, but then users can simple just change it .gif when really its a .php.

    Is there something like

    PHP Code:
    if (list($width$height$type$attr) = @getimagesize($im)) {
    echo
    "is an image";
    } else {
    echo
    "error";

    That doesn't work with URLs, just file uploads.

    Any help on this would be greatly appriciated Thanks!

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Actually you really do not need to do anything. As long as you set it as a source for an img element you are golden. If it really is not an image then the browser will not display it and consider it an error.

    It is infact very easy to make a file be seen as an image but contain other data. However if one displays or uses that image as an image that data is never executed.

    With that in mind, it allows for stuff like this: http://www.durhamgames.com/ichwm.htm
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Even though you could download the image contents located at that url, whose to say they don't wait 1 day and then change the contents to something malacious?

    This is why a lot of forums don't allow linking of media. You upload it, then you can inspect it for validity, and then you host it on your own server.

  4. #4
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Actually you really do not need to do anything. As long as you set it as a source for an img element you are golden. If it really is not an image then the browser will not display it and consider it an error.
    [/URL]
    Hey thanks for replyign .

    Well, a user manage to input this between img tags:

    http://www.mysite.com/buyanitem.php?itemid=2929

    and this was put into there signature, so whenever someone view it, they would end up buying the item. Of course, I could just make it so you need to send post data to that link- but its still a concern that it worked.

    If i'm understanding you correctly and you say image source, you mean like img src='url'> right?

    I'm still looking for a more concrete way of stopping urls :X This forum uses bbcode - they don't seem to be getting exploited, so there must be a way for me to do it :P

  5. #5
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ole90 View Post
    Hey thanks for replyign .

    Well, a user manage to input this between img tags:

    http://www.mysite.com/buyanitem.php?itemid=2929
    You have other problems then if a user can buy something just by having there browser visit that page...
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  6. #6
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    I know- I am working on that XP

    But It still doesn't change the fact that they can input URLs into the IMG tags and have them execute as if they ran them from a browser :X

    Sorry I'm not trying to be rude, just looking to see if I can patch it :X I'm surrree there is a way to do it :X

  7. #7
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Well the simple way is not to allow images at all.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  8. #8
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Which isn't really practicle X) How do VB forums manage to do it?

  9. #9
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you look at this forum's logout link as an example, they require a logout_hash to be present. The script generates this difficult to guess string and keeps track of it. If a logout is attempted without a logout_hash, it simply doesn't perform the operation. It also makes sure that the hash was actually something it issued for a given logged in user.

    The good thing here is, I can't post a link to the logout url and trick you into clicking it. Well, I could, but you wouldn't actually get logged out because the system would realize the hash is not a hash that was issued to your username/session.

    This has a benefit over just making your logout script require a post request. With a post request, I could just post a link to a webpage on my website. On that webpage, I could have a form with a submit button that I entice you to click. And the form posts to your logout script, and you get logged out. Or maybe I made you buy something...The form submission could even be automated with javascript, requiring you to do nothing more than visit the webpage.

    This is called a cross site request forgery(csrf). You need to read up and defend against this.

    You also probably have some serious xss vulnerabilities if that code you posted earlier is repesentive of what you're really using as a bbcode system.

  10. #10
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Hmm Okay, so I updated the script to check for an image using getimagesize(); function, but now a user can load an image from another site and use mod_rewrite or something to that effect which will make the image load a script. Any ideas around this x.x?

  11. #11
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    248
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    //Assuming the image uploaded is loaded in $_POST['uploadedimage']

    if(filter_var($POST['uploadedimage'], FILTER_VALIDATE_URL) == true)
    {
        throw new 
    Exception("You can't upload URLs as Images!");
    }
    else
    {
        
    uploadimage($_POST['uploadedimage']);

    I'm not familiar with BBCode or how their tagged source comes into the system, but that *will* stop the exploit you're looking at there.

  12. #12
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SituationSoap View Post
    PHP Code:
    //Assuming the image uploaded is loaded in $_POST['uploadedimage']

    if(filter_var($POST['uploadedimage'], FILTER_VALIDATE_URL) == true)
    {
        throw new 
    Exception("You can't upload URLs as Images!");
    }
    else
    {
        
    uploadimage($_POST['uploadedimage']);

    I'm not familiar with BBCode or how their tagged source comes into the system, but that *will* stop the exploit you're looking at there.
    no, it won't.

    ole90- what you're asking for is impossible. you can't check to see what a URL returns without actually retrieving that URL. full stop. done. do not pass go, do not collect $200.

    as others have suggested, using GET for things like adding to a shopping cart is a bad idea exactly for this reason. anything that makes interesting changes should always be done via POST.
    Check out our new Industry News forum!
    Keep up-to-date with the latest SP news in the Community Crier

    I edit the SitePoint Podcast

  13. #13
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    248
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by longneck View Post
    no, it won't.
    Elaborate? This will stop anything that's being posted into the IMG section that matches a URL to throw an exception. Is PHP's URL filtering incomplete or poor? I'm honestly interested in your answer.

    Though, I will agree with the rest of your statement: using GET to actually change something is a patently bad idea.

  14. #14
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think uploadimage() is intended to mean something to the nature of copy() to save the image to the filesystem locally, and then host the file, linking to your own domain in the img tags.

    This would solve the problem being refered to(the remote site later changing the http response issued by the url). But it would introduce a whole slew of new security issues that would need to be solved.

  15. #15
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Alright thanks for all your help -grumbles about php functions- :P


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •