Allow 3rd party content? Think you're secure? Think again...

Posted by: Gremelin

Allow 3rd party content? Think you're secure? Think again... - 09/03/07 03:40 AM

Preface
I was dealing with some client issues today when I made an interesting discovery... Most people have statistic loggers on their site, which log common information about users such as the "user agent" string that your browser provides which tells the server what browser you're using...

The Deal
Well, it seems that most statistic loggers DO NOT SANATIZE this string... What does this mean for you? Well, it means that malitious users can embed javascript on your site (or just where your stats logger is; but keep in mind a lot of people publish their latest/most popular user data/user agent list) which is capable of skewing your content, hijacking your users (sending them offsite) or can potentially steal your users passwords.

It is quite simple to sanatize these results, so if you're not you're an idiot to not do so... Some of the largest scripts in the biz don't do this, and you have to think about this, do you want to trust the popularity of your community to a script that'll allow 3rd party users to hijack your users and send them to any site they please?

The Fix
I'm going to cover various ways of fixing this before showing you how it's done (yes, I am going to show you how to do it! At least since I patched our forums)... My examples below assume you're running PHP.

preg_replace or str_replace; you'll want to replace < and > with their ASCII equivelant; an example of this would be:
 Code:
$agent = str_replace("<", "&lt;", $agent);
$agent = str_replace(">", "&gt;", $agent);


htmlspecialchars is my recommendation (as per always), and is quite simple!
 Code:
$agent = htmlspecialchars($agent);


strip_tags is another option, however I like to monitor things as they come in, and strip tags may strip more than just the tags which will rendered my logging (without having to dig deep) useless...
 Code:
$agent = strip_tags($agent);



When sanatizing your results, the agent will PRINT instead of EXECUTE, so any code within will be rendered as plain text.

The Execution
These are actual, LIVE examples of items which have been found in my client's log's:
 Code:
<SCRIPT>window.location='http://www.syncrisis.com'</script> (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)


 Code:
"<SCRIPT>window.location='http://www.syncrisis.com'</script> (compatible; MSIE 7.0; Windows NT 5.1)"


As you see here, the script line tells your users browsers "I want you to go here, now." which any browser will assume is correct...

ANY javascript can be added here; and most scripts will store the entire string, so you can have quite a few "wonky" items added in (which I will not cover, as I don't want this security related post aiding script kiddies, I've basically told you how to do just about anything, take 5 minutes and do some research if you're curious).

Now, you're likely thinking "oh, well users can't change that, it's built into the browser"... Oh how wrong you are... If, for example, you're running FireFox, you can change this string in the about:config (advanced browser configuration settings) or by using a Firefox extension such as "User Agent Switcher"; mine for example shows:
 Code:
UGN Security/3.13.37 (Linux; en); UGN Security (http://www.undergroundnews.com/)


Why talk about this publicly?
Quite simply, do a Google search, you'll find tons of people whining that they have to disable such and such part of their site because their users are being sent elsewhere... Little do they know that they can EASILY update these scripts (or at least the output of them) to thwart malicious users...

Another reason for this is, I want to be sure those learning to code always assume by my golden rule...
[b]If you allow a 3rd party to post ANY text, no matter how harmless you assume it will be, you need to think ahead and take a quick 3 minutes and do some sanitization of stored strings.