Topics

User Functions

Events

There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

NEW FILES last 14 days

No new files

Welcome to Geeklog Thursday, April 17 2014 @ 02:58 PM EDT

Suggestions for filtering CSS url( ) images?

Security
  • Thursday, January 30 2003 @ 06:19 AM EST
  • Contributed by:
  • Views:
    13,756

While playing with what sorts of HTML I could include in a message I managed to get a logo to appear overtop of the site logo via a CSS url() call. Neat thought it was a neat hack personally but now I've got potential clients ("suits") who are concerned about having porn added to their sites.

There is an example in this message, you should be able to see an example image just under the Geeklog logo in most browsers.

It only takes a few minutes of playing with this to see how much stuff you can do with it. (Using position:fixed; can be really annoying)

I was just going to add a bunch of eregi() calls but thought I'd ask around here first for opinions/suggestions/comments on filtering out stuff like this without crippling GeekLog's HTML inclusion facility.

Editors note: here is the example code:

style="position:absolute;top:100px;left:100px;
width:200px;height:101px;z-index:100;
background-image:url('http://www.example.com/someimage.gif');
border:0;margin:0;padding:0;display:block"

--
Lucas Thompson
sardu@mac.com

The following comments are owned by whomever posted them. This site is not responsible for what they say.

  • Suggestions for filtering CSS url( ) images?
  • Authored by:sardu on Thursday, January 30 2003 @ 11:24 AM EST
Just a suggestion to the moderators, edit my story and put the example CSS hack in the body so it doesn't show up on the main security page.

Now you see why I want to fix this : )

---
Lucas Thompson
sardu_AT_mac.com
  • Suggestions for filtering CSS url( ) images?
  • Authored by:squatty on Thursday, January 30 2003 @ 11:39 AM EST
Question: is this a GL specific issue, apache, php, what? I'd be interested in seeing if this exploit can be applied to other apps/platforms. Not that I'm looking for "hacking" tips or anyting...just want to see if my work environment is impacted.

Thnx!

---
Danny @ squatty.com
  • Suggestions for filtering CSS url( ) images?
  • Authored by:sardu on Thursday, January 30 2003 @ 11:50 AM EST
I hope I haven't opened up a huge can of worms posting that message. I don't really fancy the idea of anonymous comments 'rebranding' sites all over the net.

It _DOES_ work on some other weblog sites/packages. I'm not going to list any of them here. I think a fix should probably be applied to the main distribution.

It has nothing to do with apache or php, if you let HTML attributes pass through, other people's browsers will render them. If those attributes contain CSS, the browser will render the CSS.

---
Lucas Thompson
sardu_AT_mac.com
  • Suggestions for filtering CSS url( ) images?
  • Authored by:Tony on Thursday, January 30 2003 @ 11:52 AM EST
If you have a fix already let us know and we can put it in. Otherwise it may take a bit of work before we get this in ourselves. If you can use str_replace instead of the regex stuff...it's faster. Of course somethings are best suited for regex but on large stories this can be really slow in PHP.

---
The reason people blame things on previous generations is that there's only one other choice.
  • Suggestions for filtering CSS url( ) images?
  • Authored by:sardu on Thursday, January 30 2003 @ 12:01 PM EST
I don't have a fix in place yet but should have something by the end of the day.

I'll see if I can minimize the regex in favour of str_replace()

---
Lucas Thompson
sardu_AT_mac.com
  • Fix
  • Authored by:sardu on Thursday, January 30 2003 @ 07:06 PM EST
Sorry, I got tied up with a bunch of stuff today, as a quick fix people can just add this to COM_checkHTML() in lib-common.php

// Hack to filter out user-generated CSS attributes
$str = preg_replace( '/style="[^"]+"/', '', $str );

It works fine and preg_replace seems quick enough even on an ancient K6/350 I have.
Please note that it prevents ALL user-generated CSS from appearing.

---
Lucas Thompson
sardu_AT_mac.com

  • Fix... NOT
  • Authored by:sardu on Friday, January 31 2003 @ 12:13 AM EST

Doh!... that actually only fixes it if the user writes nice clean HTML with no spaces before/after the = sign.

I'm thinking maybe phpfilter should be integrated instead, it still lets images from the main site get loaded (allowing you to disable a page with a 2000x2000 pixel repeating pattern of the site logo) but I've contacted the author about it.

Anyone have other suggestions?

---
Lucas Thompson
sardu_AT_mac.com

  • Re: sample code
  • Authored by:sardu on Thursday, January 30 2003 @ 11:58 AM EST
Note that the display:block is what lets this work with nearly any tag, even ones normally rendered inline.
<TAG style="position:absolute;top:N;left:N;width:N;height:N;z-index:100;background-image:url('http://www.example.com/someimage.gif');display:block" TAG>

---
Lucas Thompson
sardu_AT_mac.com

  • Phpfilter integration?
  • Authored by:sardu on Friday, January 31 2003 @ 08:55 PM EST
I've added a feature request to the database on sourceforge and proposed phpfilter integration. Phpfilter is pretty quick and although it won't block all such defacement attacks it can be modified to do so.

http://sourceforge.net/tracker/index.php?func=detail&aid=678507&group_id=7371&atid=107371

---
Lucas Thompson
sardu_AT_mac.com