[26703] in bugtraq
Re: PHP-Nuke v5.6 - Users can compromise admin accts.
daemon@ATHENA.MIT.EDU (Konstantin Riabitsev)
Fri Aug 16 17:04:24 2002
From: Konstantin Riabitsev <icon@phy.duke.edu>
To: "<-delusion->" <delusi0n@bellsouth.net>
In-Reply-To: <000b01c244c2$875d5460$0100a8c0@winxp>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
boundary="=-SbO25QUoIqgyt1CUfAsy"
Date: 16 Aug 2002 15:40:23 -0400
Message-Id: <1029526823.28100.14.camel@hagrid>
Mime-Version: 1.0
--=-SbO25QUoIqgyt1CUfAsy
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Thu, 2002-08-15 at 21:16, <-delusion-> wrote:
> Jelmer's accusation that my proposed fix is flawed is wrong. He demonstra=
tes
> a code that uses the <a> tag, if you look at my solution:
>=20
> $message =3D strip_tags($message, '<br><b><u><i>');
>=20
>=20
> The <a> tag is not allowed. Only the tags <br><b><u><i> are allowed. I di=
d
> talk to Jelmer and told him my solution successfully stripped the tags fr=
om
> his code, he replied with this message:
>=20
> <?php
> > $myText =3D '<a done=3Dfalse STYLE=3D"visibility : hidden; word-spacing=
:
> > expression( !(eval(this.done)) ?
> location.href=3D\'http://kuperus.xs4all.nl\'
> > : 0 ); word-wrap : expression(this.done=3Dtrue);"> test</a>';
> > $string =3D strip_tags($myText, '<a><b><i><u>'); <a>
> > echo $string
> >
> > ?>
> >
> > works on my php 4.06
>=20
> He uses this string..
> $string =3D strip_tags($myText, '<a><b><i><u>'); <a>
> Which allows the <a> tag. so therefore his code got executed when he ran =
it.
>=20
> it was just a mistake on Jelmer's part. If you seek a quick fix for this
> vuln, just use my solution. It works.
You should keep in mind the fact that <u>, <i>, and <b> tags allow
"style" attributes in them as well, meaning that the "expression" will
be evaluated and run -- you have not solved the problem at all by
disallowing the "<a>" tag.
You should look into a more in-depth solution for filtering user input
with PHP. This is the point where I blatantly push my little (ahem)
script that I wrote for just these purposes. You may adapt it to your
needs as you see fit (licensing issues non-withstanding).
http://www.mricon.com/html/phpfilter.html
Regards,
--=20
0> Konstantin ("Icon") Riabitsev
/ ) Duke University Physics Sysadmin
~ www.phy.duke.edu/~icon/pubkey.asc
--=-SbO25QUoIqgyt1CUfAsy
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEABECAAYFAj1dVScACgkQlVxa81EWb4iUdwCgm80CfnMAUNKIZ5k5UI/ytuTz
Py8AnRUnRZsArymTySjgqpqJ5MIV4ZMT
=coY5
-----END PGP SIGNATURE-----
--=-SbO25QUoIqgyt1CUfAsy--
