Code Injection / CGI Module 6

[1DMF]

Hello,

Since reading about the Easter Twitter attack, I was wondering how much protection the CGI module gives for reading the query string data / form data from websites.

I know you guys have always said that the CGI module does give some form of protection from malicious code and wondered how much protection it actually gives.

Is there additional regexes and counter obfuscation which needs to be applied to inputted data to ensure data integrity?

Any advice to protect against such types of code injection is much appreciated.

Regards,
1DMF.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[1DMF]

@Kevin -> I use

use CGI::Carp qw(fatalsToBrowser warningsToBrowser); 
use warnings;
use strict;

at the top of every script I write. Any other ideas?

@Kirsle -> Thanks for the info, i'll add the s ;-) it's interesting that a browser can cause such a problem merely by the way it handles the markup, but it shouldn't be an issue for my current purpose.

@Chris -> Thanks for the alternative, i was aware that no chevrons could be used with the substitution code, as this is a simple 'guestbook' facility for people to leave reviews of our holiday flats, who have stayed in them, they should have no reason to use chevrons.

I guess I could add a little JS pop up, telling them they can't use chevrons, should they try, but I thought simply striping any thing within chevrons would be fine, though It did make me wonder if that would make someone 'multi-post' because what they wrote got truncated. Which could in turn pee them off so they then leave a bad review.

But I then thought, whoa tiger, over thought, monitor and just see if it ever becomes a problem, if it does, then deal with it.

What would you do?



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[ChrisHunt]

What would you do?

I'd use the code I posted above.

If somebody posts a review like "What a lovely flat and <100m from the beach", or "We thought the place was <brilliant>", or even (heaven forbid) "<script>do_nasty_things()</script>" that's what they'll see on your page. Swapping any [tt]<[/tt] characters for [tt]&lt;[/tt] will ensure that html elements cannot be injected onto your site.

Your current approach of removing whole tags only is flawed - what if someone were to post this:

<img src="blank.gif" onload="do_nasty_things()"

Your check won't remove a tag with no closing >, but when it's rendered into a page like this:

<p><img src="blank.gif" onload="do_nasty_things()" </p>

it will treat [tt]<img src="blank.gif" onload="do_nasty_things()" </p>[/tt] as an img element with an unknown "</p" attribute.

Just trap all < character and you should be OK.



-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[1DMF]

got ya, your method deals with malformed tags!

definately a well earned star.

i take it if you did

img src="blah.gif" onload="do_nasty_stuff()">

a browser would not be fault tolerant for failing to open a tag correcly, like it does with closing a tag?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[Kirsle]

Usually typing a > in clear text in HTML will display it literally on the page.

As I was giving this thread another read-through I realized what ChrisHunt pointed out, that a poster could use multiple posts to complete a tag.

One of my other co-workers found a different exploit on MySpace after the samy worm where he could run JavaScript by spanning stuff across multiple parts of his profile. I don't recall the details, but it was something like:

[b]About Me[/b]

<img src="" alt="

[b]Who I'd Like To Meet[/b]

" onerror="alert('ha!')">

So MySpace would effectively piece this together as like

<img src="" alt=[red]"</td></tr></table>etc<table><tr><td><b>Who I'd Like To Meet:</b><p>"[/red] onerror="alert('ha!')">

The exploit was that in one field on your profile, MySpace's html filtering wasn't as thorough as other fields (I think it actually involved the information table showing location, height, body type, etc)...

Cuvou.com | My personal homepage

perl -e '$|=$i=1;print" oo\n<|>\n_|_";x:sleep$|;print"\b",$i++%2?"/":"_";goto x;'

 

[ChrisHunt]

i take it if you did

img src="blah.gif" onload="do_nasty_stuff()">

a browser would not be fault tolerant for failing to open a tag correcly, like it does with closing a tag?
[/code]
The issue won't arise with a >, because there shouldn't be a matching < for it to pair with. Look:

<p>img src="blank.gif" onload="do_nasty_things()"></p>

When the browser sees a <, it interprets everything else as the contents of a tag, until it reaches a > sign. So in the example above, [tt]<p>[/tt] is a tag, [tt]</p>[/tt] is one too, but the [tt]img[/tt] stuff in between isn't because there's no < sign.

In my previous example, the whole of [tt]<img src="blank.gif" onload="do_nasty_things()" </p>[/tt] is interpreted as a single tag: <, tag content, then a >. The fact that the characters inside the tag include a < sign won't bother the browser, it just treats it as an attribute that it doesn't know about and ignores it.

The one place where a > may be ignored inside a tag is inside the quoted value of an attribute. That opens the door to the kind of attack that Kirsle alludes to. With this in mind, you should probably do this to any user-entered text that you display on your site:

$my_var =~ s/&/&/g; # do this one first!
$my_var =~ s/</&lt;/g;
$my_var =~ s/>/&gt;/g;
$my_var =~ s/"/&quot;/g;
$my_var =~ s/'/&apos;/g;

That tackles all potential problematic characters, as well as potential bars to validating your page.


-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[1DMF]

Nice one Chris!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[1DMF]

well i ended up using this.

        $fullname =~ s/\r\n//g;
        $fullname =~ s/\n//g;
        $fullname =~ s/\r//g;                
        $fullname =~ s/\s{2,}/ /g;    
        $fullname =~ s/\|//g;                           
        $fullname =~ s/&/&/g; 
        $fullname =~ s/</&lt;/g;
        $fullname =~ s/>/&gt;/g;
        $fullname =~ s/\"/&quot;/g;
        $fullname =~ s/\'/&apos;/g;

and got this result

&lt; script&gt;alert(&apos;hello&apos&lt;/script&gt;

was that the expected outcome?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[1DMF]

I changed

$fullname =~ s/\'/'/g;

to

$fullname =~ s/\'/&\#39;/g;

and it worked fine

Thanks!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[ishnid]

Apologies if it's been mentioned already, but there's a HTML::Entities module that'll escape any "funny characters" you get as input.

Alternatively, you might want to let users submit *some* HTML tags (<b>, <br>, etc.) in which case you could use HTML::TagFilter.

 

[Kirsle]

+1 for ishnid. I didn't know about HTML::TagFilter! It would sure come in handy if I ever got the insane idea to make a MySpace-like site (god forbid!), or anything else that lets users use lots of HTML.

The module looks much more thorough than anything I'd be able to roll myself.

Cuvou.com | My personal homepage

perl -e '$|=$i=1;print" oo\n<|>\n_|_";x:sleep$|;print"\b",$i++%2?"/":"_";goto x;'

 

[1DMF]

nice one Ishnid.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[1DMF]

Anyone got an idea why -T 'taint' mode won't work?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[ishnid]

Taint will stop you using dangerous data in the wrong place (i.e. system calls, opening files, etc.). If you try, it'll thrown an error on you. There's an excellent tutorial on CGI programming here that covers it pretty well.

 

[1DMF]

I know Ishnid, that's why I wanted to turn it on, I've read the CGI CPAN document and I cannot find a mention of the problem I'm having.

I tried the link you've supplied but just get

If you're seeing this page, it indicates that the either the tinymicros.com server is down, or that DNS2GO is having issues, and you have been redirected to this site.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!

 

[ChrisHunt]

Anyone got an idea why -T 'taint' mode won't work?
[...]
I've read the CGI CPAN document and I cannot find a mention of the problem I'm having.

Perhaps if you were to describe in more detail the problem you're having, you might get some help fixing it. "It won't work" isn't much to go on.

Probably best to start a new thread though.


-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[ishnid]

Strange. That link is working for me at the minute anyway.

 

[KevinADC]

If you are using a Windows server I don't think you can use -T from the shebang line. The server has to be setup to run with -T enabled some other way, maybe using the file association.

------------------------------------------
- Kevin, perl coder unexceptional!

 

[1DMF]

Chris -> I did, if you look at the whole thread ;-)

Kevan -> Thanks, though I'm not sure this is a windows box where i'm having the problem, but it is shared hosting and as it's 123-reg , the support sucks and so does their user interface and hosting package, we will be getting rid of them when hosting is up for renewal, so I think i'll just run with Chris's code until then.

As the script doesn't make calls to these functions, I'm assuming there is no possible way to inject such calls or is there?

Is that the whole point, but that would make 99% of all scripts vunerable wouldn't it?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!