SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    CSS uploaded by user - security risks?

    If a user can upload their own css for their personal page (say, a profile), are there any CSS based vulnerabilities I should look out for? This would be stored on my server in example.com/user/profile/css/usercss.css (or something like that).

  2. #2
    The CSS Clinic is open silver trophybronze trophy
    Paul O'B's Avatar
    Join Date
    Jan 2003
    Location
    Hampshire UK
    Posts
    40,281
    Mentioned
    179 Post(s)
    Tagged
    6 Thread(s)
    This is not really a CSS question as such but a question so I'll move the thread.

    There could be an issue with IE where expressions are used in css which could run javascript to cause some problems.

    At the very least styles could be uploaded to change the look of your site using !important over-rides etc so should always sanitize input that you receive.

  3. #3
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks. That's a good start. I was thinking that urls that were specified (say, for background images) might pose a security risk as well for xss attacks, but I am not familiar enough to say how this might occur.

  4. #4
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I should also point out I don't care how the user makes a page look. They could display:none everything, and it wouldn't matter to me. I am more worried about security holes, like malicious code or something like that, taking place.

  5. #5
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,625
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    I would read up on myspace before trying this.

    Given @import and the half-dozen other ways to arbitrarily load content from untrusted URLs I'm sure someone could find a hole somewhere. Fonts is another interesting angle -- there are lots of OS-level exploits based around font loading. The other issue is you are going down a slippery slope -- how long until users want to submit their own javascript?

    A much better model is to setup some templating system and let users specify safe changes to the look and feel of their pages while retaining some sort of control.

  6. #6
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You are right, but it would just be for CSS. Never javascript. Myspace does seem to be at the forefront of this, surprisingly. I will give them a check and try to come up with a list of things to worry about. Thanks for mentioning fonts as well.

  7. #7
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,625
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Doesn't matter -- if you request something from my evil server, I can do lots of things. And I can probably find a way to include my evil script.

    MySpace was at the forefront, but doing this ultimately hamstrung them as they could not upgrade things without breaking a key part of user experience. That and horrible security issues.

  8. #8
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I won't be requesting it from another server or pointing to anything off site, but instead allowing users to upload their own css files.

  9. #9
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,036
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    So they could point to a mal-script?

  10. #10
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's the idea, actually - find out whatever attributes could allow them to do something bad, like point to a bad script, and reject any document that has them.

  11. #11
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,036
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    For some reason I'm thinking there are others, but for certain anything that has "url" eg. background images, cursor, list-style-image.

  12. #12
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    url is all I could think of as well. I will need to do a review of all attributes and see if anything else allows pointing to an offsite file.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •