NotionCommotion Posted July 24, 2015 Share Posted July 24, 2015 User uploads a script called "templates.html" such as the following plus a bunch of images: <div> <p>{{1}}</p> <p>{{2}}</p> <img src="images/bla.png" alt="bla" /> <script>alert('hello');</script> </div> PHP parses the templates.html and creates a new file called "index.php" which is as follows <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Testing</title> <link href="xyz.css" type="text/css" rel="stylesheet" /> <script src="xyz.js" type="text/javascript"></script> </head> <body> <div> <?php $obj->getSomeNonUserProvidedStuff();?> </div> <div> <p><?php $obj->getSomething(1);?></p> <p><?php $obj->getSomething(2);?></p> <img src="images/bla.png" alt="bla" /> <script>alert('hello');</script> </div> </body> </html> The file is stored in a location which is publicly accessible with http: //theUsersSpace.sites.example.com/index.php To be secure, I will confirm that there are no PHP tags in templates.html. I will validate uploaded image extentions as well as use finfo. It is my understanding that JavaScript risk is limited to only the user's space. Am I missing anything? Thanks Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 24, 2015 Share Posted July 24, 2015 The Javascript risk is there for anyone who views the page. Where does the PHP code come from in your index.php example? Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 24, 2015 Author Share Posted July 24, 2015 Where does the PHP code come from in your index.php example? All of it except the below would come from me, and is presumed safe: <div> <p><?php $obj->getSomething(1);?></p> <p><?php $obj->getSomething(2);?></p> <img src="images/bla.png" alt="bla" /> <script>alert('hello');</script> </div> The above part comes from the user provided templates.html file I described in my initial post, and should be considered suspect. I would first confirm that templates.html doesn't have any PHP tags, and then use regex or similar to replace {{1}} and {{2}} with <?php $obj->getSomething(1);?> and <?php $obj->getSomething(2);?> to create it. My primary need is to prevent a malicious user from executing any unintended PHP either within this file, or by disguising a PHP file as an image. My concern was that they maybe they could encode the PHP tags and it somehow gets past my validation. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 25, 2015 Author Share Posted July 25, 2015 Not trying to be pushy, but would really appreciate some advice. Thank you Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted July 25, 2015 Share Posted July 25, 2015 I wouldn't let anyone upload code to the server. Are you doing a multiple subdomain/websites? If so have a default css file and let them edit that if anything and image uploads if required. Ever consider making your own theme/templating system? Create a variety of layouts and styles the user can select and further edit just css and images. Could make it they name their customized versions and those are saved. Can go crazy and make your own html builder. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 25, 2015 Author Share Posted July 25, 2015 I wouldn't let anyone upload code to the server. Agree with PHP, but obviously other content is often allowed. I wish to limit to HTML. Are you doing a multiple subdomain/websites? Yes. I am concerned about cross subdomain JavaScript issues, but I believe user1.sites.example.com is fully isolated from user2.sites.example.com. I am not concerned about user1 publishing JavaScript which is malicious to individuals visiting user1.sites.example.com. If so have a default css file and let them edit that if anything and image uploads if required. Ever consider making your own theme/templating system? Create a variety of layouts and styles the user can select and further edit just css and images. Could make it they name their customized versions and those are saved. Humm, Maybe. Let me mull it over. Can go crazy and make your own html builder. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 25, 2015 Share Posted July 25, 2015 I am not concerned about user1 publishing JavaScript which is malicious to individuals visiting user1.sites.example.com. Why? You should be. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 25, 2015 Author Share Posted July 25, 2015 Why? You should be. Maybe "concerned" isn't the right word. It is just not my responsibility, and I am not going to do anything about it. The responsibility lies upon the maintainers of the individual subdomains who will be the only ones to upload script as I described in my original post. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 25, 2015 Share Posted July 25, 2015 If it is a public facing page then yes, it is indeed your responsibility. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 25, 2015 Author Share Posted July 25, 2015 There will be terms and conditions requiring the subscribed users to abide to all laws as well as other guidelines. This is no different than if I was selling physical servers or an Internet provider. Script will be in place to prevent general users (i.e. non-subscribed users) from posting any malicious content. The subscribed users will likely, however, be allowed to upload JavaScript. If this is the case, what can be done? Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 25, 2015 Author Share Posted July 25, 2015 (edited) Back to the original topic. I still don't understand what could be dangerous by include()'ing user provided script provided it doesn't have any PHP tags. Would like to know why people think it is. Just because I don't see it, however, I agree it probably isn't smart. EDIT. Maybe there is some script in the file other than PHP which will somehow be executed? Twig does slightly differently. Given the following user provided HTML, it will create a file which includes the following method. Is this any safer? If so, why? Thanks <div> <p>bla bla bla</p> <p>Once there was a {{ color }} {{ animal }}.</p> <p>It's name was {{ name }}.</p> <p>The End!</p> </div> <?php echo('I am a bad guy!');?> protected function doDisplay(array $context, array $blocks = array()) { // line 1 echo "<div> <p>bla bla bla</p> <p>Once there was a "; // line 3 echo twig_escape_filter($this->env, (isset($context["color"]) ? $context["color"] : null), "html", null, true); echo " "; echo twig_escape_filter($this->env, (isset($context["animal"]) ? $context["animal"] : null), "html", null, true); echo ".</p> <p>It's name was "; // line 4 echo twig_escape_filter($this->env, (isset($context["name"]) ? $context["name"] : null), "html", null, true); echo ".</p> <p>The End!</p> </div> <?php echo('I am a bad guy!');?>"; } Edited July 25, 2015 by NotionCommotion Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 25, 2015 Share Posted July 25, 2015 If this is the case, what can be done? You could develop a CMS type of deal which allows users to add widgets and stuff to their page, but not actual Javascript code. Unfortunately if you allow any sort of Javascript you are allowing an XSS vulnerability. It's not really the same as offering web hosting. Since this is an extension of a domain and servers that you control, the blame will fall on you. You are responsible for the content on your domain/server. I still don't understand what could be dangerous by include()'ing user provided script provided it doesn't have any PHP tags. include()'ing is very bad because IF there was any PHP code that got in there, it's going to be executed. I discovered a while ago that if you embed PHP into an image file, the image can still pass proper MIME checks, still function as a valid image, but if you include() it, the PHP code will be executed. If you want them to upload custom HTML, that's fine, but don't include() it. Twig does slightly differently. Given the following user provided HTML, it will create a file which includes the following method. Is this any safer? If so, why? Yes, Twig is much safer. It has a strictly controlled API that can be utilized in the template, and you cannot put PHP into it. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 25, 2015 Author Share Posted July 25, 2015 (edited) Thanks scootstah, Wow, heard of images containing php, but didn't know they would pass a MIME check. What if it wasn't include()'d, but just requested by a URL through Apache? Would the PHP still execute? I am considering QuickOldCar's idea of HTML under my control, but CSS under the user's control. That, however, still has some risk. When I was dumber, I remember thinking how cool it was to parse CSS and even JS. If a server was configured to parse CSS, that would be a very bad thing. Other than PHP parsing a CSS file, are there other potential threats of allowing user uploaded CSS files? In regards to Twig, for my immediate need, I do not require the overhead. If Twig is considered safe, I believe there is no reason a super simple template system could be made just as safe. Edited July 25, 2015 by NotionCommotion Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 25, 2015 Share Posted July 25, 2015 (edited) What if it wasn't include()'d, but just requested by a URL through Apache? Would the PHP still execute? No, because Apache does not treat an image like PHP. If you accessed the malicious image through a normal URL, it would load just like any other image and that's it. Other than PHP parsing a CSS file, are there other potential threats of allowing user uploaded CSS files? Yes, it's possible to carry out an XSS exploit with CSS. It would need to be sanitized. In regards to Twig, for my immediate need, I do not require the overhead. If Twig is considered safe, I believe there is no reason a super simple template system could be made just as safe. What overhead are you referring to? If you mean performance, well then Twig has very minimal overhead. The template files are compiled to PHP in a cache, so it's only really slow the first time before the cache is created. After that it is very quick. Twig is a great drop-in solution that lots of people are familiar with already. I'm not sure why you would bother taking the time to create one. Also, just because Twig is safe does not mean that all template engines are safe. It's not like they are inherently safe... but the way in which Twig operates makes it safe. EDIT: In fact, the very thing you're trying to do is one of Twig's main selling points. Quote from the Twig page: Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design. Edited July 25, 2015 by scootstah Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 25, 2015 Author Share Posted July 25, 2015 (edited) Good that Apache will never parse an image through PHP. You absolutely sure? So, I need not worry about verifying uploaded images are what their extension suggestions they are? For the record, I am a big fan of Twig, and agree overhead is fairly low. I am not trying to reinvent it, but if for a specific niche application I don't need all its functionality and I have unlimited time to come up with something else, why use it? EDIT to your EDIT. I will check out the sandbox mode. Thanks! In regards to XSS exploits with CSS as well as previously mentioned JavaScript, this definitely exceeds the scope of my question. I do, however, think it is interesting and worth discussion. Is this forum appropriate? I've since done a little research, and it seems the jury is out. Who is the responsible party? The individual that posted the content, the web designer, the domain name owner, the entity who issued the domain name, the individual who maintains the site, the person who has the most money, etc, etc? Let me know if you think I should post a specific question related to this topic on this forum. Thanks Edited July 25, 2015 by NotionCommotion Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 25, 2015 Share Posted July 25, 2015 Who is the responsible party? I'm not a lawyer. But if you intend on intentionally leaving XSS vulnerabilities wide open, I'd suggest you consult with a lawyer to answer this question. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 26, 2015 Author Share Posted July 26, 2015 Lawyers! I deal with them way too much! I do still think it is worthy of further dialog, but expect here is not the place. If anyone disagrees, please advise and I will post scenarios. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 26, 2015 Share Posted July 26, 2015 Not sure what you mean. Discuss away. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted July 26, 2015 Author Share Posted July 26, 2015 Not sure what you mean. Discuss away. http://forums.phpfreaks.com/topic/297479-who-is-legally-responsible-for-xss-vulnerabilities/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.