Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: Valdis.Kletnieks () vt edu
Date: Thu, 10 Oct 2002 23:08:07 -0400
On Thu, 10 Oct 2002 23:41:34 -0000, Astalavista Baby <info () astalavista com> said:
like to see more and better ways ?! My idea: ( I think this is not safe enough?) function make_clean($value){ $value = htmlspecialchars($value) $value = str_replace("%2B", "", $value); .... more .. return $value; }
Wrong. You're filtering "known illegal" out, rather than refusing to pass only probably legal characters through. You can enumerate %2B, ... more ... and you're still totally screwed to the wall if you missed one (and remember that all the Unicode exploits are basically "missed one"). Worse yet, you're screwed to the wall if you have a complete list, but at a later date somebody finds a new and creative way to use a character (did you know that some Unix shells treat the ^ caret as equivalent to | pipe? ;) I don't do PHP, but the pseudocode *should* be: function make_clean($value) { legalchars = "[a-z][A-Z][0-9] "; // allow letters number space only for each char in $value if char not in legalchars then char=' '; // bogus char? Make it a blank end for; } Somebody finds a way to use doublequote to inject bad data? Somebody finds a way to use asterisks or %2B? No problem - they weren't in my legalchars list to start with. Remember - don't filter known bad chars. Filter *everything* *but* known good. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)