Dangers of user provided script in PHP file

[NotionCommotion]

User uploads a script called "templates.html" such as the following plus a bunch of images:

 

<div>

  <p>{{1}}</p>

  <p>{{2}}</p>

  <img src="images/bla.png" alt="bla" />

  <script>alert('hello');</script>

</div>

PHP parses the templates.html and creates a new file called "index.php" which is as follows

 

<!DOCTYPE html>

<html>

    <head>

        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

        <title>Testing</title>  

        <link href="xyz.css" type="text/css" rel="stylesheet" />

        <script src="xyz.js" type="text/javascript"></script>

    </head>

    <body>

        <div>

            <?php $obj->getSomeNonUserProvidedStuff();?>

        </div>

        <div>

            <p><?php $obj->getSomething(1);?></p>

            <p><?php $obj->getSomething(2);?></p>

            <img src="images/bla.png" alt="bla" />

            <script>alert('hello');</script>

        </div>

    </body> 

</html>

 

The file is stored in a location which is publicly accessible with http: //theUsersSpace.sites.example.com/index.php

 

 

To be secure, I will confirm that there are no PHP tags in templates.html.  I will validate uploaded image extentions as well as use finfo.  It is my understanding that JavaScript risk is limited to only the user's space.

 

Am I missing anything?  Thanks

[scootstah]

The Javascript risk is there for anyone who views the page.

 

Where does the PHP code come from in your index.php example?

[NotionCommotion]

Where does the PHP code come from in your index.php example?

 

All of it except the below would come from me, and is presumed safe:

        <div>
            <p><?php $obj->getSomething(1);?></p>
            <p><?php $obj->getSomething(2);?></p>
            <img src="images/bla.png" alt="bla" />
            <script>alert('hello');</script>
        </div>

The above part comes from the user provided templates.html file I described in my initial post, and should be considered suspect.  I would first confirm that templates.html doesn't have any PHP tags, and then use regex or similar to replace {{1}} and {{2}} with <?php $obj->getSomething(1);?> and <?php $obj->getSomething(2);?> to create it.  My primary need is to prevent a malicious user from executing any unintended PHP either within this file, or by disguising a PHP file as an image.  My concern was that they maybe they could encode the PHP tags and it somehow gets past my validation.

[NotionCommotion]

Not trying to be pushy, but would really appreciate some advice.  Thank you

[QuickOldCar]

I wouldn't let anyone upload code to the server.

 

Are you doing a multiple subdomain/websites?

If so have a default css file and let them edit that if anything and image uploads if required.

 

Ever consider making your own theme/templating system?

Create a variety of layouts and styles the user can select and further edit just css and images.

Could make it they name their customized versions and those are saved.

 

Can go crazy and make your own html builder.

[NotionCommotion]

I wouldn't let anyone upload code to the server.  Agree with PHP, but obviously other content is often allowed.  I wish to limit to HTML.

 

Are you doing a multiple subdomain/websites?  Yes.  I am concerned about cross subdomain JavaScript issues, but I believe user1.sites.example.com is fully isolated from user2.sites.example.com.  I am not concerned about user1 publishing JavaScript which is malicious to individuals visiting user1.sites.example.com.

 

If so have a default css file and let them edit that if anything and image uploads if required.

Ever consider making your own theme/templating system?

Create a variety of layouts and styles the user can select and further edit just css and images.

Could make it they name their customized versions and those are saved.

Humm, Maybe.  Let me mull it over.

 

Can go crazy and make your own html builder.  

[scootstah]

I am not concerned about user1 publishing JavaScript which is malicious to individuals visiting user1.sites.example.com.

Why? You should be.

[NotionCommotion]

Why? You should be.

 

Maybe "concerned" isn't the right word.  It is just not my responsibility, and I am not going to do anything about it.  The responsibility lies upon the maintainers of the individual subdomains who will be the only ones to upload script as I described in my original post.

[scootstah]

If it is a public facing page then yes, it is indeed your responsibility.

[NotionCommotion]

There will be terms and conditions requiring the subscribed users to abide to all laws as well as other guidelines.  This is no different than if I was selling physical servers or an Internet provider.

 

Script will be in place to prevent general users (i.e. non-subscribed users) from posting any malicious content.

 

The subscribed users will likely, however, be allowed to upload JavaScript.

 

If this is the case, what can be done?

[NotionCommotion]

Back to the original topic.

 

I still don't understand what could be dangerous by include()'ing user provided script provided it doesn't have any PHP tags.  Would like to know why people think it is.  Just because I don't see it, however, I agree it probably isn't smart.  EDIT.  Maybe there is some script in the file other than PHP which will somehow be executed?

 

Twig does slightly differently.  Given the following user provided HTML, it will create a file which includes the following method.  Is this any safer?  If so, why?

 

Thanks

<div>
  <p>bla bla bla</p>
  <p>Once there was a {{ color }} {{ animal }}.</p>
  <p>It's name was {{ name }}.</p>
  <p>The End!</p>
</div>
<?php echo('I am a bad guy!');?>

    protected function doDisplay(array $context, array $blocks = array())
    {
        // line 1
        echo "<div>
  <p>bla bla bla</p>
  <p>Once there was a ";
        // line 3
        echo twig_escape_filter($this->env, (isset($context["color"]) ? $context["color"] : null), "html", null, true);
        echo " ";
        echo twig_escape_filter($this->env, (isset($context["animal"]) ? $context["animal"] : null), "html", null, true);
        echo ".</p>
  <p>It's name was ";
        // line 4
        echo twig_escape_filter($this->env, (isset($context["name"]) ? $context["name"] : null), "html", null, true);
        echo ".</p>
  <p>The End!</p>
</div>
<?php echo('I am a bad guy!');?>";
    }

Edited July 25, 2015 by NotionCommotion

[scootstah]

If this is the case, what can be done?

 

You could develop a CMS type of deal which allows users to add widgets and stuff to their page, but not actual Javascript code. Unfortunately if you allow any sort of Javascript you are allowing an XSS vulnerability.

 

It's not really the same as offering web hosting. Since this is an extension of a domain and servers that you control, the blame will fall on you. You are responsible for the content on your domain/server.

 

I still don't understand what could be dangerous by include()'ing user provided script provided it doesn't have any PHP tags.

include()'ing is very bad because IF there was any PHP code that got in there, it's going to be executed. I discovered a while ago that if you embed PHP into an image file, the image can still pass proper MIME checks, still function as a valid image, but if you include() it, the PHP code will be executed.

 

If you want them to upload custom HTML, that's fine, but don't include() it.

 

Twig does slightly differently.  Given the following user provided HTML, it will create a file which includes the following method.  Is this any safer?  If so, why?

Yes, Twig is much safer. It has a strictly controlled API that can be utilized in the template, and you cannot put PHP into it.

[NotionCommotion]

Thanks scootstah,

 

Wow, heard of images containing php, but didn't know they would pass a MIME check.  What if it wasn't include()'d, but just requested by a URL through Apache?  Would the PHP still execute?

 

I am considering QuickOldCar's idea of HTML under my control, but CSS under the user's control.  That, however, still has some risk.  When I was dumber, I remember thinking how cool it was to parse CSS and even JS.  If a server was configured to parse CSS, that would be a very bad thing.  Other than PHP parsing a CSS file, are there other potential threats of allowing user uploaded CSS files?

 

In regards to Twig, for my immediate need, I do not require the overhead.  If Twig is considered safe, I believe there is no reason a super simple template system could be made just as safe.

Edited July 25, 2015 by NotionCommotion

[scootstah]

What if it wasn't include()'d, but just requested by a URL through Apache?  Would the PHP still execute?

No, because Apache does not treat an image like PHP. If you accessed the malicious image through a normal URL, it would load just like any other image and that's it.

 

Other than PHP parsing a CSS file, are there other potential threats of allowing user uploaded CSS files?

Yes, it's possible to carry out an XSS exploit with CSS. It would need to be sanitized.

 

In regards to Twig, for my immediate need, I do not require the overhead.  If Twig is considered safe, I believe there is no reason a super simple template system could be made just as safe.

What overhead are you referring to? If you mean performance, well then Twig has very minimal overhead. The template files are compiled to PHP in a cache, so it's only really slow the first time before the cache is created. After that it is very quick.

 

Twig is a great drop-in solution that lots of people are familiar with already. I'm not sure why you would bother taking the time to create one. Also, just because Twig is safe does not mean that all template engines are safe. It's not like they are inherently safe... but the way in which Twig operates makes it safe.

 

EDIT: In fact, the very thing you're trying to do is one of Twig's main selling points. Quote from the Twig page:

Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design.

Edited July 25, 2015 by scootstah

[NotionCommotion]

Good that Apache will never parse an image through PHP.  You absolutely sure?  So, I need not worry about verifying uploaded images are what their extension suggestions they are?

 

For the record, I am a big fan of Twig, and agree overhead is fairly low.  I am not trying to reinvent it, but if for a specific niche application I don't need all its functionality and I have unlimited time to come up with something else, why use it?

 

EDIT to your EDIT.  I will check out the sandbox mode.  Thanks!

 

In regards to XSS exploits with CSS as well as previously mentioned JavaScript, this definitely exceeds the scope of my question.  I do, however, think it is interesting and worth discussion.  Is this forum appropriate?  I've since done a little research, and it seems the jury is out.  Who is the responsible party?  The individual that posted the content, the web designer, the domain name owner, the entity who issued the domain name, the individual who maintains the site, the person who has the most money, etc, etc?  Let me know if you think I should post a specific question related to this topic on this forum.

 

Thanks

Edited July 25, 2015 by NotionCommotion

[scootstah]

Who is the responsible party?

I'm not a lawyer. But if you intend on intentionally leaving XSS vulnerabilities wide open, I'd suggest you consult with a lawyer to answer this question.

[NotionCommotion]

Lawyers!  I deal with them way too much!  I do still think it is worthy of further dialog, but expect here is not the place.  If anyone disagrees, please advise and I will post scenarios.

[scootstah]

Not sure what you mean. Discuss away.

[NotionCommotion]

Not sure what you mean. Discuss away.

http://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/