Preventing Script Injection via BBcode

[ole90]

I'm trying to stop users from doing something like this:

Code:

[ I M G ]http://www.mysitename.com/logout.php [/imge]

or stuff like;

Code:

 [I M G ]http://www.hacker.com/freehacks[/imge]

(the bbcode is normal img [] tag, i just had to do the above because vb was showing it up blank)

I currently do this:

PHP Code:


function isImage($matches) {
$im = $matches['1'];
//Make sure $im is an image and not some script
if(script) {
$re= "bad code";
} else {
$re = "<img src='".$im."' style='border:0px;'>";
}
return $re;
}

function bbcode($text) {
$text = preg_replace_callback("'/\[img\](.*?)\[\/img\]/is'","isImage",$text);
} 


So what I'm trying to do is find some kind of way to validate the input between the [img] tags. The isImage function should do this, I just have no clue on how to do it. I thought about getting the extention of the url, but then users can simple just change it .gif when really its a .php.

Is there something like

PHP Code:

if (list($width, $height, $type, $attr) = @getimagesize($im)) {
echo"is an image";
} else {
echo"error";
} 


That doesn't work with URLs, just file uploads.

Any help on this would be greatly appriciated Thanks!

[logic_earth]

Actually you really do not need to do anything. As long as you set it as a source for an img element you are golden. If it really is not an image then the browser will not display it and consider it an error.

It is infact very easy to make a file be seen as an image but contain other data. However if one displays or uses that image as an image that data is never executed.

With that in mind, it allows for stuff like this: http://www.durhamgames.com/ichwm.htm

[crmalibu]

Even though you could download the image contents located at that url, whose to say they don't wait 1 day and then change the contents to something malacious?

This is why a lot of forums don't allow linking of media. You upload it, then you can inspect it for validity, and then you host it on your own server.

[ole90]

Actually you really do not need to do anything. As long as you set it as a source for an img element you are golden. If it really is not an image then the browser will not display it and consider it an error.
[/URL]

Hey thanks for replyign .

Well, a user manage to input this between img tags:

http://www.mysite.com/buyanitem.php?itemid=2929

and this was put into there signature, so whenever someone view it, they would end up buying the item. Of course, I could just make it so you need to send post data to that link- but its still a concern that it worked.

If i'm understanding you correctly and you say image source, you mean like img src='url'> right?

I'm still looking for a more concrete way of stopping urls :X This forum uses bbcode - they don't seem to be getting exploited, so there must be a way for me to do it :P

[logic_earth]

Hey thanks for replyign .

Well, a user manage to input this between img tags:

http://www.mysite.com/buyanitem.php?itemid=2929

You have other problems then if a user can buy something just by having there browser visit that page...

[ole90]

I know- I am working on that XP

But It still doesn't change the fact that they can input URLs into the IMG tags and have them execute as if they ran them from a browser :X

Sorry I'm not trying to be rude, just looking to see if I can patch it :X I'm surrree there is a way to do it :X

[logic_earth]

Well the simple way is not to allow images at all.

[ole90]

Which isn't really practicle X) How do VB forums manage to do it?

[crmalibu]

If you look at this forum's logout link as an example, they require a logout_hash to be present. The script generates this difficult to guess string and keeps track of it. If a logout is attempted without a logout_hash, it simply doesn't perform the operation. It also makes sure that the hash was actually something it issued for a given logged in user.

The good thing here is, I can't post a link to the logout url and trick you into clicking it. Well, I could, but you wouldn't actually get logged out because the system would realize the hash is not a hash that was issued to your username/session.

This has a benefit over just making your logout script require a post request. With a post request, I could just post a link to a webpage on my website. On that webpage, I could have a form with a submit button that I entice you to click. And the form posts to your logout script, and you get logged out. Or maybe I made you buy something...The form submission could even be automated with javascript, requiring you to do nothing more than visit the webpage.

This is called a cross site request forgery(csrf). You need to read up and defend against this.

You also probably have some serious xss vulnerabilities if that code you posted earlier is repesentive of what you're really using as a bbcode system.

[ole90]

Hmm Okay, so I updated the script to check for an image using getimagesize(); function, but now a user can load an image from another site and use mod_rewrite or something to that effect which will make the image load a script. Any ideas around this x.x?

[SituationSoap]

PHP Code:

//Assuming the image uploaded is loaded in $_POST['uploadedimage']

if(filter_var($POST['uploadedimage'], FILTER_VALIDATE_URL) == true)
{
    throw new Exception("You can't upload URLs as Images!");
}
else
{
    uploadimage($_POST['uploadedimage']);
} 


I'm not familiar with BBCode or how their tagged source comes into the system, but that *will* stop the exploit you're looking at there.

[longneck]

PHP Code:

//Assuming the image uploaded is loaded in $_POST['uploadedimage']

if(filter_var($POST['uploadedimage'], FILTER_VALIDATE_URL) == true)
{
    throw new Exception("You can't upload URLs as Images!");
}
else
{
    uploadimage($_POST['uploadedimage']);
} 


I'm not familiar with BBCode or how their tagged source comes into the system, but that *will* stop the exploit you're looking at there.

no, it won't.

ole90- what you're asking for is impossible. you can't check to see what a URL returns without actually retrieving that URL. full stop. done. do not pass go, do not collect $200.

as others have suggested, using GET for things like adding to a shopping cart is a bad idea exactly for this reason. anything that makes interesting changes should always be done via POST.

[SituationSoap]

no, it won't.

Elaborate? This will stop anything that's being posted into the IMG section that matches a URL to throw an exception. Is PHP's URL filtering incomplete or poor? I'm honestly interested in your answer.

Though, I will agree with the rest of your statement: using GET to actually change something is a patently bad idea.

[crmalibu]

I think uploadimage() is intended to mean something to the nature of copy() to save the image to the filesystem locally, and then host the file, linking to your own domain in the img tags.

This would solve the problem being refered to(the remote site later changing the http response issued by the url). But it would introduce a whole slew of new security issues that would need to be solved.

[ole90]

Alright thanks for all your help -grumbles about php functions- :P