...

View Full Version : user customized css file and security



fatrat
11-24-2006, 11:26 AM
hi, i would like to take a <textarea name="css></textarea>

and create a .css file with it.

kind of like a myspace user customisation.

what do i need to do with $_POST['css']
before i can write a file with it, to prevent malicious scripts?

one the file is written its contents will be called with 'file_get_contents', assigned to $get_css and then put into the template file just before the end of the default css.

like:

$css
-->
</style>


so how can i secure this?

I have read some articles, but I wont know whats not 100% safe until i get hacked!!!!

raf
11-24-2006, 12:07 PM
first off: "100% safe" is a myth, invented by some drunken manager.

about your css --> is the posted css at the end just added to a html-header? if so, then it's vulnerable to all XSS exploits so you should probably only be safe if you completely remove all html tags.
but i see no reason for you to not just add the posted css to an external css file. then the only exploit i can think you need to take care of, is the @import exploit for IE users (IE allows non-valid css to be imported, so an attacker could slip in html). Easiest sollution is depend on your users to have a patched browser, and alternatively, you can still strip of all html-tags that are in the posted text. or simply don't proces posted text that contains html-tags.

fatrat
11-24-2006, 06:02 PM
k, let me explain some more then so i can figure this out a bit more.

the css will be stored in an external file, which i was going to call in a php header file using file_get_content and then assign to the template file.

is there a more secure way of calling the css file??

like could i use php to assign the file name and then do a html link in the template file, not exactly sure of the code, but i know u can call css files using html. the point is, is this more secure?

so thats calling the file more securely, but how do i strip html tags before the <textarea> is saved to file??

the file is only meant to contain css, so i guess i could run a preg_match_all and make sure it only contains:
a-z, A-Z, 0-9, #, ', (, ), -, _

would this prevent all malicious code and still allow enough css to be done?

fatrat
11-26-2006, 09:17 AM
*bump*

raf
11-26-2006, 10:21 AM
is there a more secure way of calling the css file??
sure, just link to an external css file in the header.
for firefox/opera, this will allready solve all securityproblems. for IE, you still have the problem that it will proces a non-valid css (like a css-file that contains html).


but how do i strip html tags before the <textarea> is saved to file??

the file is only meant to contain css, so i guess i could run a preg_match_all and make sure it only contains:
a-z, A-Z, 0-9, #, ', (, ), -, _

would this prevent all malicious code and still allow enough css to be done?
you can just as well check that the posted value doesn't contain "<". like


if (strpos($_POST['my_posted_css'], '<') !== False){
die('Invalid css posted');
}else{
//the saving to file etc
}

fatrat
11-27-2006, 07:25 AM
$css = htmlspecialchars(stripslashes($HTTP_POST_VARS[$css]));

if ( strpos($css, '<') )
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'CSS must not contain any html';
}

will that do?

what about javascript?

http://alistapart.com/articles/secureyourcode

The threat


Malicious JavaScript injections are a threat at many levels. Using a full-fledged injection, an attacker could:

* Change the presentation of the attacker’s personal pages in a forbidden way (this is the lowest level of severity, but could produce a misleading or confusing experience for other users).
* Execute an action whenever a user enters the attacker’s page, such as voting for the attacker in a poll or adding the attacker to a buddy or “trusted” list.
* Infect the personal pages of users who visit the attacker’s page, creating a spreading virus that might, in turn, execute malicious code or propagate spyware /viruses that exploit security flaws in popular browsers.

These are just three examples of what an attacker might do, but two things are already clear:

1. XSS is a real threat. MySpace and many other community sites have already been attacked or compromised.
2. Webmasters should, therefore, make sure that their sites are properly protected.



IE, CSS, and JavaScript

Thanks to IE’s predilection for executing JavaScript, many communities are left vulnerable. IE will accept and execute the following code:

[…] style="background:url(javascript:alert(document.cookie))” […]

It’s bad if a browser executes JavaScript from style tags, because many communities don’t validate this input—they simply take the input, strip single and double quotes, and print it out. This, for example:




Would be translated into this:

<font style=”color: black; background:url(javascript:alert
(document.cookie));”></font>

By blocking the word “JavaScript,” many of us feel safe, but we are still vulnerable since the following example is perfectly valid as far as Internet Explorer is concerned:

<font style="background:url(jav
ascr
ipt:alert(document.cookie))"></font>

If I were to inject this into a community that blocks “JavaScript,” I would simply use:

raf
11-27-2006, 08:22 AM
$css = htmlspecialchars(stripslashes($HTTP_POST_VARS[$css]));

if ( strpos($css, '<') )
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'CSS must not contain any html';
}

will that do?
try it out, if you specifically want to use your own version of my code for whatever reason that escapes me.

my educated guess is that it wount work since


$css='<blabla>';
if ( strpos($css, '<') ){
echo 'css contains <';
}else{
echo 'css does not contain <';
}
would print 'css does not contain <' which is of course incorrect. this is because 0 (==> for the first position of <blabla> where < is found) evaluates to False instead of the True that you would expect.


what about javascript?

what about it? i already told you twice to use an external css file so that you don't have inline css.
if you want to make completely sure that even IE -users that allow javascript wount be at risk, then just create a version of $css where you remove all linebreaks and then check if it contains "javascript". if it doesn't, then you store the original $css.

fatrat
11-27-2006, 05:04 PM
$css = htmlspecialchars(stripslashes($HTTP_POST_VARS[$css]));

if ( strpos($css, '<') !== False )
{
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'CSS must not contain any html';
}

k, i added the !==False, ty for that info, there are probably other parts of my code I will now change coz I had done that wrong.

so tyvm for that ;)

I do intend to create the file and import it as an external script using:

<link rel="stylesheet" type="text/css" href="/path/yourfile.css">

so that will hopefully stop a lot of misuses, now I will write a short code to remove linebreaks and check for 'javascript', ill post later.

ty


this code seems far to easy to handle this:

http://namb.la/popular/tech.html


having said that, if divs arent allowed, does that mean that kind of script wouldnt work?
but are there ways around that?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum