>> trying to download the last version of CF4em
>> check out the bbmlparser there.
I decided to spend an evening fully investigating the subject and looked at
all the various BBML code routines in CF, PHP and Perl to see what I could
glean. It looks like just about all the ones I could find have the same
approach and the same basic vulnerabilities as the one in the forum I am
fixing. For basic formatting, like bold, italicize, underline...etc the
process is straight forward and doesn't involve using any user input as part
of the tag. Just replace the entire [] tag with entire <> tag.
However the with URL, image and font type tags where the construction of the
tag uses the user input as part of the of the HTML tag just about all the
routines I saw fail to sanitize the user input content used in the
construction of the tag, allowing for the injection of JavaScript code.
Example: in an image tag like [img]image.gif[/img] almost all routines I
found look for the start tag and end tag then extract the middle re-format
the tags to HTML tags and re-insert the middle portion without checking it.
Same for URL and Font tags. None of the routines I saw even validate or
remove invalid characters for URI construction. So it is easy then for
someone to add scripting by doing this:
[img]img.gif"onMouseOver="alert('gotcha');[/img]
For image and URL tags I test for and remove all quote tags and non-URI
valid tags. The font tags were more difficult since they may contain other
tags between beginning and end so since hardly anyone was using the [font]
tags and apparently most forums do not support them, I just removed them
entirely.
Want to find holes in your code? Just dare 13-16 year olds to break it. :)
Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359112
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
