jskrauss Posted June 27, 2007 Share Posted June 27, 2007 We have a simpel PHP script that is designed to only include the body portion of a page when doing a server side include. The dilema is it is failing our security audit to to an xss issue. <?php function StripBody($content){ preg_match('%<body.*>(.*)</body>%is', $content, $matches); $matches=$matches[0]; $matches=preg_replace('%<.*body.*>%i','',$matches); //$matches=str_replace(array("\n","\t","\r"," "),"",$matches); $matches=str_replace(array("../"),"",$matches); $matches=trim($matches); return $matches; } if(file_exists("../includes/$_REQUEST[p]")){ $inp=file_get_contents("../includes/$_REQUEST[p]"); echo "<!-- include $_REQUEST[p] BEGIN -->\n"; if($_REQUEST['lb']==1){ echo '<a href="#" class="lbAction" rel="deactivate">Close</a>'; } echo StripBody($inp); if($_REQUEST['lb']==1){ echo '<a href="#" class="lbAction" rel="deactivate">Close</a>'; } echo "\n<!-- include $_REQUEST[p] END-->\n"; }else{ echo '[<i>' . $_REQUEST['p'] . '</i>]'; } ?> The problem according to the security audit is a hacker could in theory add ?p=<script>alert(document.cookie)</script><iframe%20width=800%20height=600%20src=http://www.intrudersdomainname.com></iframe>&lb=1 to the URL and have their content displayed on our page or run other scripts. The issue is stripping that information out of the value for p Ive tried strip_tags but since p is defined as a constant it does not work. Link to comment https://forums.phpfreaks.com/topic/57437-xss-in-simple-script/ Share on other sites More sharing options...
per1os Posted June 27, 2007 Share Posted June 27, 2007 How is it defined as a constant...here is a solution to try. <?php function StripBody($content){ preg_match('%<body.*>(.*)</body>%is', $content, $matches); $matches=$matches[0]; $matches=preg_replace('%<.*body.*>%i','',$matches); //$matches=str_replace(array("\n","\t","\r"," "),"",$matches); $matches=str_replace(array("../"),"",$matches); $matches=trim($matches); return $matches; } $p = strip_tags($_REQUEST['p']); if(file_exists("../includes/$p")){ $inp=file_get_contents("../includes/p"); echo "<!-- include $p BEGIN -->\n"; if($_REQUEST['lb']==1){ echo '<a href="#" class="lbAction" rel="deactivate">Close</a>'; } echo StripBody($inp); if($_REQUEST['lb']==1){ echo '<a href="#" class="lbAction" rel="deactivate">Close</a>'; } echo "\n<!-- include $p END-->\n"; }else{ echo '[<i>' . $p . '</i>]'; } ?> See what that does for you. Link to comment https://forums.phpfreaks.com/topic/57437-xss-in-simple-script/#findComment-284177 Share on other sites More sharing options...
jskrauss Posted June 27, 2007 Author Share Posted June 27, 2007 I replaced my file with the suggested content and wound up with the following (directory structure altered for security purposes in this post) : Ford Focus Warning: file_get_contents(../includes/p) [function.file-get-contents]: failed to open stream: No such file or directory in /removed/removed/public_html/_php/include.php on line 15 Link to comment https://forums.phpfreaks.com/topic/57437-xss-in-simple-script/#findComment-284237 Share on other sites More sharing options...
per1os Posted June 27, 2007 Share Posted June 27, 2007 $inp=file_get_contents("../includes/$p"); I missed the $ there, replace that line and see what happens. Link to comment https://forums.phpfreaks.com/topic/57437-xss-in-simple-script/#findComment-284247 Share on other sites More sharing options...
jskrauss Posted June 27, 2007 Author Share Posted June 27, 2007 No error on the page! I should have caught that myself! Thanks. I will rerun the security test! Link to comment https://forums.phpfreaks.com/topic/57437-xss-in-simple-script/#findComment-284248 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.