Re: PHP-Nuke v5.6 - Users can compromise admin accts.

[Konstantin Riabitsev <icon () phy duke edu>]

On Thu, 2002-08-15 at 21:16, <-delusion-> wrote:
> Jelmer's accusation that my proposed fix is flawed is wrong. He demonstrates
> a code that uses the <a> tag, if you look at my solution:
>
> $message = strip_tags($message, '<br><b><u><i>');
>
>
> The <a> tag is not allowed. Only the tags <br><b><u><i> are allowed. I did
> talk to Jelmer and told him my solution successfully stripped the tags from
> his code, he replied with this message:
>
>  <?php
> > $myText = '<a done=false STYLE="visibility : hidden; word-spacing :
> > expression( !(eval(this.done)) ?
> location.href=\'http://kuperus.xs4all.nl\&apos;
> > : 0 ); word-wrap : expression(this.done=true);"> test</a>';
> > $string = strip_tags($myText, '<a><b><i><u>'); <a>
> > echo $string
> >
> > ?>
> >
> > works on my php 4.06
>
> He uses this string..
> $string = strip_tags($myText, '<a><b><i><u>'); <a>
> Which allows the <a> tag. so therefore his code got executed when he ran it.
>
> it was just a mistake on Jelmer's part. If you seek a quick fix for this
> vuln, just use my solution. It works.

You should keep in mind the fact that <u>, <i>, and <b> tags allow
"style" attributes in them as well, meaning that the "expression" will
be evaluated and run -- you have not solved the problem at all by
disallowing the "<a>" tag.

You should look into a more in-depth solution for filtering user input
with PHP. This is the point where I blatantly push my little (ahem)
script that I wrote for just these purposes. You may adapt it to your
needs as you see fit (licensing issues non-withstanding).

http://www.mricon.com/html/phpfilter.html

Regards,
-- 
 0>  Konstantin ("Icon") Riabitsev
/ )  Duke University Physics Sysadmin
 ~   www.phy.duke.edu/~icon/pubkey.asc

Attachment: signature.asc
Description: This is a digitally signed message part