PhPBB and XML uploads....

Posted: Wed Mar 26, 2008 5:06 pm

Greetings All,
Is there any known security issue with PHPbb and allowing XML uploads?

Thank You

Dawg

registered · Posted: Sat Mar 29, 2008 7:29 am

Dawg, I am not familiar with XML uploads in terms of phpBB. I take it this is some kind of mod?

But, bottom line really is that any script which allows for the uploading of a file or that receives its input from a remote location (heck, even locally can be an issue if compromised already) is a potential opening. The all depends upon how the input is filtered and how it is going to be used. Unfortunately, that is left to each of us to worry about and make certain that we know exactly what we are putting on our systems.

Posted: Sat Mar 29, 2008 7:42 am

Montego,
I is not a MOD...it is a file type (Like you didn't know that...LOL) This is actually a .gpx file but .gpx is nothing more than xml with the extention changed. It is a file type for GPS data.

I use the attachment MOD but I have it squirreled into just jpegs and pdfs, my question is if I it is a BIG NONO to alloow xml. I know anything can be exploited...if did not know if there was a know one for this file type.

Dawg

Posted: Sat Mar 29, 2008 7:46 am

Dawg, actually, I am no phpBB expert, nor am I familiar with the attachment mod. Sorry, but that was all Evaders. He's the man...

Well, it is interesting because even a PDF can be exploited (as well as a gif)... I will not discuss how or why in the open. I would say, make sure that there is validation on the XML file to make sure it is truly valid... might even want to force a validation against its DTD even. I just don't know what is built into that attachment mod.

registered · Posted: Sat Mar 29, 2008 9:48 am

XML in and by itself is harmless of course, it is just a text file. But as always, someone could simply add a ".xml" to the end of an executable or shell script, and if they can somehow get the execute bit set on the file and execute it under the right circumstances you might have some trouble.

I would say you are reasonably safe if the upload script makes sure it has a .xml extension and changes the permissions on the file to something benign after uploading it.

Posted: Sat Mar 29, 2008 10:15 am

Ah, young Skywalker... it all depends upon how its "used". HTML is essentially XML with a specific DTD right? XML also has a DOM, just as HTML does, obviously, since HTML is a "child" of XML.

Read the book that I sent the link on yesterday and you will have a fresh outlook on the new life we lead...

It always boils down to "Know thy input", "Know thy response to thy input", and then "Protect thy site and others with thy output".

Posted: Sat Mar 29, 2008 10:31 am

HTML is actually a child of SGML. XHTML is an attempt to derive a variant of HTML with a more strict XML syntax.

I work with XML every day at work. I also wrote my own upload script that plugs into the Downloads module. Smile

The PHP Pro Security book has a list of things you can do with your upload scripts to help make them safer.

Posted: Sat Mar 29, 2008 10:56 am

What I have said still stands. It depends upon what you then do with the file. Read the book... Wink

Within your work, do you have complete control over the inputs and outputs? If you are working on embedded systems, for the most part, they have well-defined interfaces. You are expecting XML and that is what you are going to get AND most likely it will also be structured as you expect.

Posted: Sat Mar 29, 2008 11:51 am

Everyone agrees that allowing uploads is risky. However you may be willing to take this risk because uploads are important for your website community.

There isn't anything inherently evil about XML files being an allowed thing to upload. It is no more dangerous than any other file type if you handle it properly. As montego said, your upload script should attempt, as much as possible, to verify the file is what it claims to be.

It may not be practical to easily verify that the XML files match the particular DTD that Dawg is using. Make sure the file gets its permissions changed and gets moved somewhere out of the original upload directory. There is a checklist of things you can do to minimize risk for uploads in that PHP Pro Security book.

I didn't mean to get cranky; I don't respond well to the "grasshopper thing" (edit: sorry, I see it was actually Skywalker Embarassed

) . Its a personal problem. I'm sorry. I studied several PHP upload scripts and read the above book, and even wrote an upload script that implements the ideas. I use XML files at work. And yes you are right, we control everything about the XML in our environment. In a web environment you cannot do this, thus you have to be extremely cautious.

We often harp about not allowing uploads here on this site. However there are 1000's of scripts, wikis, CMS's etc that do, because there is a need for it. And they had exploits and people had to patch them. But it can be done with a reasonable amount of safety.

Posted: Sat Mar 29, 2008 12:01 pm

Getting back to Dawg's question. What phpBB function (forum mod?) are you talking about? The attachment mod? Hopefully it has been vetted for security flaws and I would not expect it to have issues with XML files. However I haven't looked at it and thus probably should not have responded to this thread at all.