Bugtraq mailing list archives
Re: PHP-Nuke v5.6 - Users can compromise admin accts.
From: Konstantin Riabitsev <icon () phy duke edu>
Date: 16 Aug 2002 15:40:23 -0400
On Thu, 2002-08-15 at 21:16, <-delusion-> wrote:
Jelmer's accusation that my proposed fix is flawed is wrong. He demonstrates a code that uses the <a> tag, if you look at my solution: $message = strip_tags($message, '<br><b><u><i>'); The <a> tag is not allowed. Only the tags <br><b><u><i> are allowed. I did talk to Jelmer and told him my solution successfully stripped the tags from his code, he replied with this message: <?php$myText = '<a done=false STYLE="visibility : hidden; word-spacing : expression( !(eval(this.done)) ?location.href=\'http://kuperus.xs4all.nl\': 0 ); word-wrap : expression(this.done=true);"> test</a>'; $string = strip_tags($myText, '<a><b><i><u>'); <a> echo $string ?> works on my php 4.06He uses this string.. $string = strip_tags($myText, '<a><b><i><u>'); <a> Which allows the <a> tag. so therefore his code got executed when he ran it. it was just a mistake on Jelmer's part. If you seek a quick fix for this vuln, just use my solution. It works.
You should keep in mind the fact that <u>, <i>, and <b> tags allow "style" attributes in them as well, meaning that the "expression" will be evaluated and run -- you have not solved the problem at all by disallowing the "<a>" tag. You should look into a more in-depth solution for filtering user input with PHP. This is the point where I blatantly push my little (ahem) script that I wrote for just these purposes. You may adapt it to your needs as you see fit (licensing issues non-withstanding). http://www.mricon.com/html/phpfilter.html Regards, -- 0> Konstantin ("Icon") Riabitsev / ) Duke University Physics Sysadmin ~ www.phy.duke.edu/~icon/pubkey.asc
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- PHP-Nuke v5.6 - Users can compromise admin accts. <-delusion-> (Aug 15)
- Re: PHP-Nuke v5.6 - Users can compromise admin accts. Jelmer (Aug 16)
- <Possible follow-ups>
- Re: PHP-Nuke v5.6 - Users can compromise admin accts. <-delusion-> (Aug 16)
- Re: PHP-Nuke v5.6 - Users can compromise admin accts. Konstantin Riabitsev (Aug 16)
- RE: PHP-Nuke v5.6 - Users can compromise admin accts. Eric Stevens (Aug 16)