I was dealing with some client issues today when I made an interesting discovery... Most people have statistic loggers on their site, which log common information about users such as the "user agent" string that your browser provides which tells the server what browser you're using...The Deal
It is quite simple to sanatize these results, so if you're not you're an idiot to not do so... Some of the largest scripts in the biz don't do this, and you have to think about this, do you want to trust the popularity of your community to a script that'll allow 3rd party users to hijack your users and send them to any site they please?The Fix
I'm going to cover various ways of fixing this before showing you how it's done (yes, I am going to show you how to do it! At least since I patched our forums)... My examples below assume you're running PHP.
preg_replace or str_replace; you'll want to replace < and > with their ASCII equivelant; an example of this would be:
$agent = str_replace("<", "<", $agent);
$agent = str_replace(">", ">", $agent);
htmlspecialchars is my recommendation (as per always), and is quite simple!
$agent = htmlspecialchars($agent);
strip_tags is another option, however I like to monitor things as they come in, and strip tags may strip more than just the tags which will rendered my logging (without having to dig deep) useless...
$agent = strip_tags($agent);
When sanatizing your results, the agent will PRINT instead of EXECUTE, so any code within will be rendered as plain text.The Execution
These are actual, LIVE examples of items which have been found in my client's log's:
<SCRIPT>window.location='http://www.syncrisis.com'</script> (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
"<SCRIPT>window.location='http://www.syncrisis.com'</script> (compatible; MSIE 7.0; Windows NT 5.1)"
As you see here, the script line tells your users browsers "I want you to go here, now." which any browser will assume is correct...
Now, you're likely thinking "oh, well users can't change that, it's built into the browser"... Oh how wrong you are... If, for example, you're running FireFox, you can change this string in the about:config (advanced browser configuration settings) or by using a Firefox extension such as "User Agent Switcher"; mine for example shows:
Why talk about this publicly?
UGN Security/3.13.37 (Linux; en); UGN Security (http://www.undergroundnews.com/)
Quite simply, do a Google search, you'll find tons of people whining that they have to disable such and such part of their site because their users are being sent elsewhere... Little do they know that they can EASILY update these scripts (or at least the output of them) to thwart malicious users...
Another reason for this is, I want to be sure those learning to code always assume by my golden rule...
[b]If you allow a 3rd party to post ANY text, no matter how harmless you assume it will be, you need to think ahead and take a quick 3 minutes and do some sanitization of stored strings.