NotionCommotion

I am sure this is a terrible idea and it was just for fun, but I would still appreciate a review of gaping security threats. Thank you <?php require_once('parser.php'); $parser=new parser(); $results=$parser->makeTemplate('template.html'); echo ($results).'<hr>'; require_once('template_child.php'); $template=new template_child(array('color'=>'red','dog'=>'ONE','name'=>'Burt')); $template->displayTemplate(); template.html <div> <p>bla bla bla</p>EOD <p>Once there was a {{ color }} {{ animal }}.</p> <p>It's name was {{ name }}.</p> <p>The End!</p> <p>'</p> <p>/'</p> <p>'"</p> <p>{{ $this->bomb() }}</p> <p>{$this->bomb()}</p> <p>{\$this->bomb()}</p> <p>{\\$this->bomb()}</p> <p>{\\\$this->bomb()}</p> </div> <?php echo('I am a bad guy!');?> parser.php <?php class parser{ public function makeTemplate($template){ if($template = file_get_contents($template) ){ //Change following line to only add backslash if dollar sign currently has zero or and even number of preceeding backslashes $template = str_replace(['\\','$'], ['', '\$'], $template); $deliminator=$this->getDeliminator($template); $template = preg_replace('/{{ (\w+) }}/', '{$this->getValue("$1")}', $template); $template_class = <<<EOD <?php require_once('template.php'); class template_child extends template { public function displayTemplate() { echo <<< $deliminator $template; $deliminator; } } ?> EOD; $results=file_put_contents("template_child.php",$template_class); return $results?'Success':'Failed to store template'; } else {return 'missing file';} } private function getDeliminator($template,$deliminator='EOD'){ if(strpos($template, $deliminator)===FALSE){ return $deliminator; } else {return $this->getDeliminator($template,$deliminator.rand(0,9));} } } template.php <?php class template { protected $data=array(); public function __construct(array $data=null) { if($data){$this->data=$data;} } protected function getValue($name) { return (isset($this->data[$name])?$this->data[$name]:null); } public function bomb() { exit('kaboom!'); } }

It works for me. Maybe some sort of folder permission issue?

Try changing your form? <form action="uploader.php" method="post" enctype="multipart/form-data"> Upon further review, I see you are posting the URL and not the file, so the above isn't applicable. Why do you wish to do it your way? Also, you really want to allow the user to upload .exe files?

If the 3rd party script is known to have vulnerabilities, would expect the developer has some responsibility. Agree I should have used the word "developer" and not "designer". My scenario is whether a developer has to take measure to prevent presumably authorized users from misusing the application. Specifically, Bob is responsible for all content on bob.sites.example.com and Mary is responsible for all content on mary.sites.example.com. If I allow them to include JavaScript in the content, they can easily implement XSS. My belief is that allowing them to do so is acceptable provided the terms and conditions prohibit them from using the application other than what it was intended for. I do feel it is an interesting topic, and hope to hear other opinions. Thank you

http://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/

Domain name registrar? The prime web designer if there was a flaw anywhere in the application? A sub web designer if they were responsible for the flaw? The entity who issued the domain name? The individual who maintains the site? The VPS service provider? The browser client vendor? The victim? The CMS vendor if they allow the site owners to post JavaScript? The CMS vendor if there is a flaw in a plug-in? A web designer who uses a framework or CMS backbone which contains a flaw? The search engine provider who provided a link to the malicious site? The individual that posted the malicious content? Someone else?

Lawyers! I deal with them way too much! I do still think it is worthy of further dialog, but expect here is not the place. If anyone disagrees, please advise and I will post scenarios.

Good that Apache will never parse an image through PHP. You absolutely sure? So, I need not worry about verifying uploaded images are what their extension suggestions they are? For the record, I am a big fan of Twig, and agree overhead is fairly low. I am not trying to reinvent it, but if for a specific niche application I don't need all its functionality and I have unlimited time to come up with something else, why use it? EDIT to your EDIT. I will check out the sandbox mode. Thanks! In regards to XSS exploits with CSS as well as previously mentioned JavaScript, this definitely exceeds the scope of my question. I do, however, think it is interesting and worth discussion. Is this forum appropriate? I've since done a little research, and it seems the jury is out. Who is the responsible party? The individual that posted the content, the web designer, the domain name owner, the entity who issued the domain name, the individual who maintains the site, the person who has the most money, etc, etc? Let me know if you think I should post a specific question related to this topic on this forum. Thanks

Thanks scootstah, Wow, heard of images containing php, but didn't know they would pass a MIME check. What if it wasn't include()'d, but just requested by a URL through Apache? Would the PHP still execute? I am considering QuickOldCar's idea of HTML under my control, but CSS under the user's control. That, however, still has some risk. When I was dumber, I remember thinking how cool it was to parse CSS and even JS. If a server was configured to parse CSS, that would be a very bad thing. Other than PHP parsing a CSS file, are there other potential threats of allowing user uploaded CSS files? In regards to Twig, for my immediate need, I do not require the overhead. If Twig is considered safe, I believe there is no reason a super simple template system could be made just as safe.

Back to the original topic. I still don't understand what could be dangerous by include()'ing user provided script provided it doesn't have any PHP tags. Would like to know why people think it is. Just because I don't see it, however, I agree it probably isn't smart. EDIT. Maybe there is some script in the file other than PHP which will somehow be executed? Twig does slightly differently. Given the following user provided HTML, it will create a file which includes the following method. Is this any safer? If so, why? Thanks <div> <p>bla bla bla</p> <p>Once there was a {{ color }} {{ animal }}.</p> <p>It's name was {{ name }}.</p> <p>The End!</p> </div> <?php echo('I am a bad guy!');?> protected function doDisplay(array $context, array $blocks = array()) { // line 1 echo "<div> <p>bla bla bla</p> <p>Once there was a "; // line 3 echo twig_escape_filter($this->env, (isset($context["color"]) ? $context["color"] : null), "html", null, true); echo " "; echo twig_escape_filter($this->env, (isset($context["animal"]) ? $context["animal"] : null), "html", null, true); echo ".</p> <p>It's name was "; // line 4 echo twig_escape_filter($this->env, (isset($context["name"]) ? $context["name"] : null), "html", null, true); echo ".</p> <p>The End!</p> </div> <?php echo('I am a bad guy!');?>"; }

There will be terms and conditions requiring the subscribed users to abide to all laws as well as other guidelines. This is no different than if I was selling physical servers or an Internet provider. Script will be in place to prevent general users (i.e. non-subscribed users) from posting any malicious content. The subscribed users will likely, however, be allowed to upload JavaScript. If this is the case, what can be done?

Maybe "concerned" isn't the right word. It is just not my responsibility, and I am not going to do anything about it. The responsibility lies upon the maintainers of the individual subdomains who will be the only ones to upload script as I described in my original post.

I wouldn't let anyone upload code to the server. Agree with PHP, but obviously other content is often allowed. I wish to limit to HTML. Are you doing a multiple subdomain/websites? Yes. I am concerned about cross subdomain JavaScript issues, but I believe user1.sites.example.com is fully isolated from user2.sites.example.com. I am not concerned about user1 publishing JavaScript which is malicious to individuals visiting user1.sites.example.com. If so have a default css file and let them edit that if anything and image uploads if required. Ever consider making your own theme/templating system? Create a variety of layouts and styles the user can select and further edit just css and images. Could make it they name their customized versions and those are saved. Humm, Maybe. Let me mull it over. Can go crazy and make your own html builder.

Not trying to be pushy, but would really appreciate some advice. Thank you

By the way Micard, you should consider using PDO. If you do, you will never want to go back.

All of it except the below would come from me, and is presumed safe: <div> <p><?php $obj->getSomething(1);?></p> <p><?php $obj->getSomething(2);?></p> <img src="images/bla.png" alt="bla" /> <script>alert('hello');</script> </div> The above part comes from the user provided templates.html file I described in my initial post, and should be considered suspect. I would first confirm that templates.html doesn't have any PHP tags, and then use regex or similar to replace {{1}} and {{2}} with <?php $obj->getSomething(1);?> and <?php $obj->getSomething(2);?> to create it. My primary need is to prevent a malicious user from executing any unintended PHP either within this file, or by disguising a PHP file as an image. My concern was that they maybe they could encode the PHP tags and it somehow gets past my validation.

I just read your error message, and didn't realize you were doing an INSERT statement. As MacGyver indicated, INSERT doesn't support WHERE (however, you could do an SELECT with a WHERE which gets inserted). I was pointing out that AFAIK your various WHERE clauses should be concatenated with AND or OR, and not commas.

'WHERE username = 'Micard' AND password = '21232f297a57a5a743894a0e4a801fc3'

User uploads a script called "templates.html" such as the following plus a bunch of images: <div> <p>{{1}}</p> <p>{{2}}</p> <img src="images/bla.png" alt="bla" /> <script>alert('hello');</script> </div> PHP parses the templates.html and creates a new file called "index.php" which is as follows <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Testing</title> <link href="xyz.css" type="text/css" rel="stylesheet" /> <script src="xyz.js" type="text/javascript"></script> </head> <body> <div> <?php $obj->getSomeNonUserProvidedStuff();?> </div> <div> <p><?php $obj->getSomething(1);?></p> <p><?php $obj->getSomething(2);?></p> <img src="images/bla.png" alt="bla" /> <script>alert('hello');</script> </div> </body> </html> The file is stored in a location which is publicly accessible with http: //theUsersSpace.sites.example.com/index.php To be secure, I will confirm that there are no PHP tags in templates.html. I will validate uploaded image extentions as well as use finfo. It is my understanding that JavaScript risk is limited to only the user's space. Am I missing anything? Thanks

First, confirm that in fact your ajax request is in fact making a request to the server. Are you getting the "test" response? Also, consider putting a syslog(LOG_INFO,"bla"); in your server script to confirm. Also, make sure there are not any cross domain issues. I wouldn't expect so if your requests are actually accessing the server. Consider changing from GET to POST as you are actually changing the state of the server. Next, make sure your server is receiving the same session cookie whether a page reload or ajax request. Unless you changed the cookie name, it should be $_COOKIE['PHPSESSID']. Confirm that your main page reloads are setting up the session the same way. If all else fails, you might want to look into the HTTPOnly flag: https://www.owasp.org/index.php/HTTPOnly

Thanks ChOcu3R. Guess I won't change yet. Keep expecting some kick ass functionallity to be added to PHP's native email functions so a 3rd party class isn't needed like phpass.

I've been using phpmailer for a while. Seems to work fine. Is it still considered a good solution, or is something else recommended?

Thanks MacGyver, Looks like I went to a lot of trouble for nothing. How can I confirm the results are in fact being cached?

Wow! Never knew that the DB would cache queries, but I guess it makes sense. So, do I "check" the query cache to see if it was changed? Or just do my big query every time, and rely on the DB to optimize the results?

@Barand, Obviously one needs to escape for SQL injection. Been using PDO and prepared statements for a while, so maybe I am getting lax. I did a quick test and stored "mom's house" using PDO, and then went to the shell and viewed the data and it didn't have a backslash. What am I missing? @Rwigs. Originally I thought you were escaping the HTML before inserting in your DB. Typically you want to escape upon presentation.