Tech Support Forum banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
Hi there everyone. I'm new here.

Funny thing is I found it via google, but it was a subject on someone asking for a XSS cookie stealer ha!

Ironicly, I need the opposite.

I have an old script being used on my site and MANY other people are using this script. The owner/creator has disappeared for months.

I was hit by someone on my site and I believe it is a XSS problem.

I have a form, which takes in text for a username color.

You would enter your text, say for example blue.

But, the way the programmer wrote it, allows any user to enter any style character. I was hit with loads of "em" tags and "size" etc..

here is a snippet of the code.

PHP:
// build the proper Preview box
$extra_fields .= "<tr><td class=\"alt1\">Preview:
<script type=\"text/javascript\" language=\"JavaScript\">

<!--
function build_contents(text, color)
{
	document.getElementById(\"previewbox\").innerHTML = '<a class=\"bigusername\" style=\"color: ' + color + '\">' + text + '</a>';

}
-->
</script>
As you can see the color variable is in the style tag. Therefore, anything added will become valid. I assume the coder used the color variable, which also is the variable of what is entered into the preview form.

Normally you would enter blue or green. However, someone can easily enter rEd; fOnt-siZe:10em.

I was thinking if I created a regex in the code and checked the variable color to be sure the text entered is ONLY [a-zA-Z] since it can only be a color. I would assume that should fix it?

Although... just thought of this now. If javascript is disabled, then this check needs to also be hardcoded, so php doesn't accept it either.

Sorry for a long essay post. I just wanted to fix this issue, so I don't get further attacks.

Thanks.

Harry.
 

·
TSF Team, Emeritus
Joined
·
2,367 Posts
Hello freshfroot, welcome to TSF!

I'm sorry, I don't exactly see what you want. Do you want us to help you secure the script above against such attacks?

Any mention of XSS attacks engages red flags. I recommend you try to be more explicit when asking such questions in the future.

You used PHP tags. :heartlove I think I love you already :heartlove
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #3 ·
Well. I am asking on how I can block XSS attacks. In the code above you can see how any user can attack the site.

I was attacked and I listed the example above. I found the source where the problem is, but I am looking for some guidance on patching this XSS issue.

The attack is being hit through the <style> tag. Therefore, the user can use any CSS property and throw it into the style tag.

I was thinking if regex checks would stop this? Since there seems to be no checking for users entered any < or > or ( or ) or valid style/css tags.
 

·
TSF Team, Emeritus
Joined
·
2,367 Posts
Thank you for the clarification.

I don't know enough about PHP to be able to help you, I'm afraid. There are a couple of active members who may be able to help, I'll see if I can contact them. In the meantime, this may be able to help you: http://www.codeassembly.com/How-to-sanitize-your-php-input/

I would remove the script from your site (just put the offending section inside comment tags /*like this*/) to prevent further attacks until this issue is resolved.
 

·
Registered
Joined
·
896 Posts
Why give them the option of free-forming a color? Could you just make the option a drop down instead of a text box? You may be able to find a list of the hard coded CSS colors somewhere and go off of that.

I was thinking if I created a regex in the code and checked the variable color to be sure the text entered is ONLY [a-zA-Z] since it can only be a color. I would assume that should fix it?
It should.

Also, "mysql_real_escape_string" MAY help to some degree. Realistically you should use it on anything you accept from a user to prevent XSS and SQL injection. In this case, it doesn't sound like you're putting anything into a DB so SQL injection isn't a problem, but you can still use this command (so long as you have MySQL installed on the box, I think) but it should escape malicious code too.
 

·
God (TSF Enthusiast)
Joined
·
1,118 Posts
One of the more informative XSS hacking guides I've come across was found here:

http://ha.ckers.org/xss.html

If you don't know anything about XSS it won't teach you anything, but if you know how to hack XSS--which this site pretty much shows you--you can learn how to stop it.

I also came across a guide that may help you block future attacks:

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html

Edit: Another option would be to use a combo-box instead of a text input to choose a color... or a color swatch image combined with an image map.

Just a few ideas to look through.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #9 ·
Thanks for the help everyone.

Appreciate it.

I think the reason why the original creator did not place a combo box. Is because he wanted users to be able to choose any color they wanted.

I do like the combo box idea.. that basically totally eliminated the problem. And, I guess colors can be added if users request for a certain color that may not be on there by any chance.

I know I have to really dig into the script, because the guy that created this script didn't really look into XSS flaws. Recently, I was hacked.. well more like had my website run by javascript style commands. I noticed someone else got their website damaged as well and the original coder has disappeared off the face of the earth.

So, I'm just trying to patch up this software I bought from him, since he isn't there to provide support now and I can't run a website with XSS holes everywhere.

Once again, thanks for the heads up everyone.
 

·
God (TSF Enthusiast)
Joined
·
1,118 Posts
Glad we could help, let us know if you need anything else, it's what we're here for after all.

Welcome to TSF :)
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top