Module: Embed Images

Hello,
I tried the above line again today with a clear head, in my system running phorum 5.2.8 and embed_images embed_images-1.0.8,
this is what i'm getting on viewing the post:

[Tue Sep 02 14:57:14 2008] [error] [client 192.168.228.128] PHP Fatal error:  Maximum execution time of 30 seconds exceeded in /home/test/public_html/forums/mods/embed_images/embed_images.php on line 448

So i would keep the "Show HTML <img> tags as embedded images?" option off for now. Anyone else can confirm this?
I would also keep HTML Phorum Mod disabled, i've been consistently able to inject javascript and get it to execute on IE6 & IE7.
(Firefox is not affected ;)

Cheers

I can confirm this behavior, but I could not find the solution just yet. I'll get back on it.

Quote

I would also keep HTML Phorum Mod disabled, i've been consistently able to inject javascript and get it to execute on IE6 & IE7.

How about mailing your findings to security@phorum.org? We also recommend to not have that module enabled, but there are a lot of forums that seem to lean on it for historic reasons. We do want to fix XSS inclusions that can be done through the HTML module.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Ok Maurice,
I'll send an email with details tomorrow and i'll also send a text file with various variations of xss attacks that i use to copy/paste in order to test my own scripts. Many of these pass through.

Cheers

Thanks. Such information is always important to us and useful for the community as a whole. The number of places where MSIE interprets crippled javascript is really really evil and we can only do our best to patch things.

Makes me kind of think about a nice outlook bug that hit our office this week another time (while the first time was years ago). It's normal in dutch to write something like "begin 2006" at the start of a sentence ("at the beginning of 2006"). Outlook picks this up as if it were uuencoded data, even when it's somewhere in the middle of a message. You get really fun results as you can imagine ;-) Microsoft's parsers seem to have a wicked sense of humor.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Hello Maurice,
Mail sent :)

Oh, thank heavens i'm not forced to use outlook at work. I'm a proud pine user since the early 90s. hah.
This is good, it means i'm totally *not* the person to rely on for user problems/support regarding outlook! phew.

Anyway, i've solved xss attacks for now, by cloning the html mod, and adding extra filtering via the safehtml
class. It's old and hasn't been updated recently i think, but has never failed me in my tests. (Or so i think).

Language: PHP
/* -------------------- Basically these are the only additions to the default html mod */
// Filter input with Safehtml
$safehtml = new safehtml();
$safehtml->protocolFiltering = "white";
$body = $safehtml->parse($body);
 
// strip tags that are not allowed, leave allowed ones
$body = strip_tags($body, ALLOWED_TAGS);

It doesn't remove tags, but rather sanitizes them, removes all null bytes, exotic html properties,
and protocols, and strange ways you can encode stuff, so at the end i can confidently use
a simple strip tags and turn it into a whitelisted tags solution. Added bonus: Obviously table and divs
are nowhere to be found in the ALLOWED_TAGS define, so there's also no way a user will
screw up the site layout.

Just a quick solution for my case since it depends on code i already include for my site in my
integration module.

Cheers



Edited 1 time(s). Last edit at 09/03/2008 04:05AM by chris.

If you need HTML enabled on your phorum, have you considered the "HTML Purifier" module? It may well solve the injections much better than the phorum-supplied one.

NB: The author hasn't updated the module in a while, but I believe that to be because of lack of interest. The HTML Purifier library itself is still very actively developed. It is likely he could be persuaded to update the phorum module.

If you need convincing, check purifiers parsing here and compare to what the Phorum module does with that XSS set.

--
Niels Callesoe

Basic Phorum user.



Edited 2 time(s). Last edit at 09/03/2008 07:21AM by nica.

Thanks for the suggestion Nica,

I've seen the HTML Purifier Mod, and in fact i have considered it as a solution for my own projects regardless of phorum, but i've settled on SafeHtml instead. There are mainly 2 reasons, HTML Purifier is *huge*, safehtml is only 2 small files, safehtml itself & HTMLSax3.
Maybe HTML Purifier is actually efficient in memory and what not, but the sheer size put me off. And 2nd reason is that everything i've ever thrown at safehtml so far, it handled it properly and returned proper, easy to handle html. So it works for me (tm) :)

Maybe if enough people are interested i could turn SafeHtml into a standalone phorum mod as another option. Shouldn't be too hard, and many other open source CMSes use it. Unfortunately it seems the site where it was hosted is not availble however now.

In any case, it's unfortunate that people are so conditioned to the myspace method of pasting html, when bbcode is a much safer alternative, but hey. What can you do. :)

Chris

With safehtml being only two files, it gets kind of interesting for the core Phorum code IMO. As a stand-alone module, we'd probably not reach the people that enabled the HTML module. When it's a standard module, we might actually have a chance that people get their HTML module fixed on upgrade.

Do you have an idea on the license type that is used for SafeHTML? Their website seems down currently indeed.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Maurice,
from the source of the file i'm using:

Language: PHP
 @license    http://www.debian.org/misc/bsd.license  BSD License (3 Clause)

Looking at my implementation i stand corrected. Safehtml is one file but the HTMLSax3 pear package that it depends upon is not 1 file, it's 4 files. Rather on the small side however. Probably still 10 times smaller than HTMLPurifier.

I think i found it, apparently it's called HTML_Safe in pear.php.net: pear.php.net.

Note that pear does not need to be installed in any way. It's trivial to include as stand-alone.
Drupal is another high profile cms that also has an implementation: drupal.org.

Chris



Edited 1 time(s). Last edit at 09/03/2008 09:52AM by chris.

The Safe HTML Checker that Purifier compares itself to, is actually only one page. I wonder if it is the same, or related, to the one you are discussing?

--
Niels Callesoe

Basic Phorum user.