RE: UBBCode img tag exploit
There is nothing like the PANIC of 13-16 year olds who get to see gay porn because a redirect was imbedded in the [IMG} tag of their favorite video game web forum. Ahh, yes there is, that of their parents ;) -Original Message- From: UXB Internet [mailto:denn...@uxbinternet.com] Sent: August-04-10 8:38 PM To: cf-talk Subject: RE: UBBCode img tag exploit DP_ParseBBML) has this flaw, I just tested it. I looked at all the open source CF based forums I could find and they all had the same flaw. Many used the DP_ParseBBML module or some variation on it. Basically, I think if you prevent conversion of images with quotes, this goes away. That was my thinking as well. Or more precisely what I knew would stop the existing attack. What I did was modify the [IMG] conversion routine to disallow both standard and single quotes either base or encoded. I also disallowed semi-colon ; because that can be used to chain script commands. But I am sure this is not a proper sanitization of the input. src = replaceNoCase(src, #chr(34)#, , ALL); src = replaceNoCase(src, #chr(39)#, , ALL); src = replaceNoCase(src, %22, , ALL); src = replaceNoCase(src, ;, , ALL); src = replaceNoCase(src, %3B, , ALL); I still feel this is a stop-gap or just a response based approach and does not fully sanitize the input. I was hoping someone had existing code that did, because as I said it was a freebie. There is nothing like the panic of 13-16 year olds who get to see gay porn because a redirect was imbedded in the [IMG} tag of their favorite video game web forum. If anyone has better ideas to prevent this type of abuse please share them. Teenagers intent on doing mischief can be very clever and I am starting to slow down a bit. Dennis Powers UXB Internet - A Website Design Hosting Company P.O. Box 6028 Wolcott, CT 06716 203-879-2844 http://www.uxbinternet.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336029 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: UBBCode img tag exploit
On Wed, Aug 4, 2010 at 12:35 PM, Brook Davies cft...@logiforms.com wrote: Hi Pete, Do you have any examples of how to integrate AntiSamy for Java with CF? Is that in your presentation? Hi Brook, I've just posted a blog entry on using AntiSamy in ColdFusion: http://www.petefreitag.com/item/760.cfm And I've also posted my slides for my CFUnited Writing Secure CFML Presentation here: http://www.petefreitag.com/item/759.cfm and my other CFUnited presentation Locking Down ColdFusion 9 here: http://www.petefreitag.com/item/758.cfm Let me know if you have any questions. -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: UBBCode img tag exploit
Awesome, thanks Pete! -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: August-05-10 8:54 AM To: cf-talk Subject: Re: UBBCode img tag exploit On Wed, Aug 4, 2010 at 12:35 PM, Brook Davies cft...@logiforms.com wrote: Hi Pete, Do you have any examples of how to integrate AntiSamy for Java with CF? Is that in your presentation? Hi Brook, I've just posted a blog entry on using AntiSamy in ColdFusion: http://www.petefreitag.com/item/760.cfm And I've also posted my slides for my CFUnited Writing Secure CFML Presentation here: http://www.petefreitag.com/item/759.cfm and my other CFUnited presentation Locking Down ColdFusion 9 here: http://www.petefreitag.com/item/758.cfm Let me know if you have any questions. -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336041 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: UBBCode img tag exploit
Hi Dennis, Take a look at AntiSamy for Java, it will sanitize HTML based on rules you specify. Also take a look at OWASP ESAPI for Java, which has encoder methods you can use when you output variables on your page to prevent XSS (ESAPI has support for using AntiSamy as well). I covered this at my cfunited presentation Writing Secure CFML, I will be posting slides for that on my blog hopefully later today. -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Jul 28, 2010 at 12:09 AM, UXB Internet denn...@uxbinternet.com wrote: I am wondering if anyone has a UBBCode to Html conversion for the [IMG} tag that will sanitize the input to prevent XSS vulnerabilities such as adding script to the img tag. I am trying to prevent XSS like below and worse. I have a CF based forum I inherited and the UBB HTML conversion for the [img] tag is simplistic and needs replacing. I would rather not reinvent the wheel if I don't have to especially since this is a favor for someone. Any help is appreciated. [img]http://www.uxb.net/images/small-logo.gif onLoad=alert(String.fromCharCode(88,83,83))[/img] [img]fake.png onerror=alert(String.fromCharCode(88,83,83))[/img] Dennis Powers UXB Internet - A Website Design Hosting Company P.O. Box 6028 Wolcott, CT 06716 203-879-2844 http://www.uxbinternet.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335985 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: UBBCode img tag exploit
Hi Pete, Do you have any examples of how to integrate AntiSamy for Java with CF? Is that in your presentation? Brook -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: August-04-10 8:37 AM To: cf-talk Subject: Re: UBBCode img tag exploit Hi Dennis, Take a look at AntiSamy for Java, it will sanitize HTML based on rules you specify. Also take a look at OWASP ESAPI for Java, which has encoder methods you can use when you output variables on your page to prevent XSS (ESAPI has support for using AntiSamy as well). I covered this at my cfunited presentation Writing Secure CFML, I will be posting slides for that on my blog hopefully later today. -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Jul 28, 2010 at 12:09 AM, UXB Internet denn...@uxbinternet.com wrote: I am wondering if anyone has a UBBCode to Html conversion for the [IMG} tag that will sanitize the input to prevent XSS vulnerabilities such as adding script to the img tag. I am trying to prevent XSS like below and worse. I have a CF based forum I inherited and the UBB HTML conversion for the [img] tag is simplistic and needs replacing. I would rather not reinvent the wheel if I don't have to especially since this is a favor for someone. Any help is appreciated. [img]http://www.uxb.net/images/small-logo.gif onLoad=alert(String.fromCharCode(88,83,83))[/img] [img]fake.png onerror=alert(String.fromCharCode(88,83,83))[/img] Dennis Powers UXB Internet - A Website Design Hosting Company P.O. Box 6028 Wolcott, CT 06716 203-879-2844 http://www.uxbinternet.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335988 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: UBBCode img tag exploit
Interesting thread. The parseBBML() UDF that I wrote for CFMBB (based on Jim Davis' DP_ParseBBML) has this flaw, I just tested it. Basically, I think the fix is to modify this line: Input = ReReplaceNoCase(Input, \[(img|image)\]([^[#Chr(171)#]*)\[/(img|image)\], #Chr(171)#img src=#Chr(167)#\2#Chr(167)##Chr(187)#, All); (the funky chr() values are temporary replacement characters for the conversion process). Basically, I think if you prevent conversion of images with quotes, this goes away. Ie... Input = ReReplaceNoCase(Input, \[(img|image)\]([^[#Chr(34)##Chr(171)#]*)\[/(img|image)\], #Chr(171)#img src=#Chr(167)#\2#Chr(167)##Chr(187)#, All); But I haven't tested this yet. (btw, Ray's Galleon uses DP_ParseBBML so Galleon may have this issue as well, along with a similar solution) Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335989 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: UBBCode img tag exploit
This does seem to work if you're using DP_ParseBBML or my parseBBML udf. rick On Wed, Aug 4, 2010 at 2:02 PM, Rick Root rick.r...@gmail.com wrote: Interesting thread. The parseBBML() UDF that I wrote for CFMBB (based on Jim Davis' DP_ParseBBML) has this flaw, I just tested it. Basically, I think the fix is to modify this line: Input = ReReplaceNoCase(Input, \[(img|image)\]([^[#Chr(171)#]*)\[/(img|image)\], #Chr(171)#img src=#Chr(167)#\2#Chr(167)##Chr(187)#, All); (the funky chr() values are temporary replacement characters for the conversion process). Basically, I think if you prevent conversion of images with quotes, this goes away. Ie... Input = ReReplaceNoCase(Input, \[(img|image)\]([^[#Chr(34)##Chr(171)#]*)\[/(img|image)\], #Chr(171)#img src=#Chr(167)#\2#Chr(167)##Chr(187)#, All); But I haven't tested this yet. (btw, Ray's Galleon uses DP_ParseBBML so Galleon may have this issue as well, along with ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335992 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: UBBCode img tag exploit
DP_ParseBBML) has this flaw, I just tested it. I looked at all the open source CF based forums I could find and they all had the same flaw. Many used the DP_ParseBBML module or some variation on it. Basically, I think if you prevent conversion of images with quotes, this goes away. That was my thinking as well. Or more precisely what I knew would stop the existing attack. What I did was modify the [IMG] conversion routine to disallow both standard and single quotes either base or encoded. I also disallowed semi-colon ; because that can be used to chain script commands. But I am sure this is not a proper sanitization of the input. src = replaceNoCase(src, #chr(34)#, , ALL); src = replaceNoCase(src, #chr(39)#, , ALL); src = replaceNoCase(src, %22, , ALL); src = replaceNoCase(src, ;, , ALL); src = replaceNoCase(src, %3B, , ALL); I still feel this is a stop-gap or just a response based approach and does not fully sanitize the input. I was hoping someone had existing code that did, because as I said it was a freebie. There is nothing like the panic of 13-16 year olds who get to see gay porn because a redirect was imbedded in the [IMG} tag of their favorite video game web forum. If anyone has better ideas to prevent this type of abuse please share them. Teenagers intent on doing mischief can be very clever and I am starting to slow down a bit. Dennis Powers UXB Internet - A Website Design Hosting Company P.O. Box 6028 Wolcott, CT 06716 203-879-2844 http://www.uxbinternet.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336013 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
UBBCode img tag exploit
I am wondering if anyone has a UBBCode to Html conversion for the [IMG} tag that will sanitize the input to prevent XSS vulnerabilities such as adding script to the img tag. I am trying to prevent XSS like below and worse. I have a CF based forum I inherited and the UBB HTML conversion for the [img] tag is simplistic and needs replacing. I would rather not reinvent the wheel if I don't have to especially since this is a favor for someone. Any help is appreciated. [img]http://www.uxb.net/images/small-logo.gif onLoad=alert(String.fromCharCode(88,83,83))[/img] [img]fake.png onerror=alert(String.fromCharCode(88,83,83))[/img] Dennis Powers UXB Internet - A Website Design Hosting Company P.O. Box 6028 Wolcott, CT 06716 203-879-2844 http://www.uxbinternet.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335779 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm