Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Other - Discussion
Author Message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Wed Mar 03, 2004 3:22 pm Reply with quote

Has anyone considered using bad word filters as a backup security counter measure?

I've been playing with a few like:
javascript
onload
onmouseout
onmouseover

Of course the more words the more overhead generated but it seems to work slick when the word filter is universal on a the site.

Better yet could we build a list here?
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Wed Mar 03, 2004 9:38 pm Reply with quote

How does this affect blocks that use javascript?
 
View user's profile Send private message
sixonetonoffun







PostPosted: Wed Mar 03, 2004 11:00 pm Reply with quote

I haven't tried inside a portal that generates blocks. I applied this only to form fields in a script I'm hacking away on. Registration, Edit Registration so on and so on.

I'm using:
$value=textFilter(kses(MY_stripslashes($value) , $applied);

textFilter = bad words filter
KSES = [ Only registered users can see links on this board! Get registered or login! ]
MY_stripslashes = checks if if get_magic_quotes_gpc = 1 for KSES

I filter from database with KSES and some places with strip_tags (remove font color ect.. for search results ect... to keep them uniform. I was considering removing the word filter or expanding it when it occured to me that it was fairly lean and mean as it is and could be useful instead of borderline useless bloat.

Using it this way almost amounts to dynamic string replacement for novices ect... who don't want to go hunting through files for 20 instances of a string in 5 different files.

The one I'm using is simple just add words and it replaces the word with a single * no mask or replacement word. (Lean and Mean). Replacement words would work as well just not as fast.
 
Darrell3831
Worker
Worker



Joined: Feb 18, 2004
Posts: 244

PostPosted: Thu Mar 04, 2004 2:36 pm Reply with quote

I like anything that adds security. Smile

If were already stripping tags that we don't like in a function with something like kses(), why would we need to strip the word itself?

Are you thinking about Internet Explorers pesky habit of fixing malformed tags for us?

If a filter mistakes it for a safe string because the tag is purposfully typo'ed in the hopes that IE will fix it on the other end....

(I read an exploit that makes use of this somewhere last week.)

If kses() is missing them then it would seem we need to edit kses() to catch em.

If we strip these words:

Quote:
javascript
onload
onmouseout
onmouseover


Then we can't use them anymore in our legitimate input. Like if these functions were to be used to strip input for a forum, or input from a tutorial, or as I'm doing, an online course.

I couldent have a course about html tags if even the innerds were not allowed.

Hmm, I dunno...

Darrell

_________________
[ Only registered users can see links on this board! Get registered or login! ] 
View user's profile Send private message Visit poster's website
sixonetonoffun







PostPosted: Thu Mar 04, 2004 3:53 pm Reply with quote

No I don't have a problem with kses catching the tags. But say if I allowed one to accomplish something good. Then someone came along and saw that I allowed
<img with alt and decided to try adding some obscured onmouseover to the alt field (Not 100% sure this is a realistic example but sounds like something IE might do). Or some other out there example like that.

The example of an html course is exactly why I was thinking of an outside list of suggestions. Suggestions could be opted out of hard coding can't. In my use there is no reason to allow the string mouse over at all.

Ravens example of javascript in blocks I think they should be left as before so any including of java would have to be coded into a actual block-myblock.php file.
 
Darrell3831







PostPosted: Thu Mar 04, 2004 4:34 pm Reply with quote

I agree about not allowing javascript in the dynamic blocks that are stored in the database. These blocks should be run through the validators, mainly because there can be more than one admin on a site.

There was just a question about html not being allowed in a block on nuke cops....

Third party, user created blocks can be prieviewed by the the admin before he installs them. So I would not expect them to be validated.

About the bad words filter, an array in the code seems like a good place to store words your worried about. Either your own to ensure future compatibablity, or piggyback off the existing one in nuke. Then the admin can edit the array for his specific needs.

Or if your really a glutton for punishment, a table of words in a database that the admin can edit from his control panel in your program. Smile

What are you developing?

It's kind of nice to have someone else working in the same areas as I am at the moment.

Darrell
 
sixonetonoffun







PostPosted: Thu Mar 04, 2004 5:21 pm Reply with quote

I'm not really developing just tore zclassifeds down and am enhancing its stand alone version for personal use. Intention was to create a simple image hosting application for ebay ect...

I've pretty much just went back to the original app and updated it making it a safe place to start from.

From there changing from classifieds to simple image hosting should be a snap. I just didn't want to add my functions to a already unsafe out of date engine.

I've done that now for the real work.
Here is a pre security fix concept demo. I'll try and get it updated late this evening. It will look virtually the same but will be much safer to run. [ Only registered users can see links on this board! Get registered or login! ]

Silly waste of time really but I'm having fun.
 
Darrell3831







PostPosted: Thu Mar 04, 2004 5:43 pm Reply with quote

Kewl,

There are always people looking for a place to remote-link images from...
 
sixonetonoffun







PostPosted: Thu Mar 04, 2004 10:39 pm Reply with quote

Here is a list of evil words, strings and so on gleemed from the former cgi shield filter. (Don't know what happened to that project, anyone?

Much of this isn't relevent to specific servers but I wanted to start this out as an awareness thing more then anything. The strings are all valid but obviously we won't strip out every "<" or ">" just because its included in almost every exploit. But leaving it in the list might help to raise awareness that the smallest slip can lead to a site being defaced or worse.

Actually a lot of these especially the MS exploits and java ones can be shortened down so one word or string will kill several others too. Like onmouse will catch a lot or MSYS. would get a lot.

I'm not going to try and break this down right now but I thought I'd offer up a start aiming back at the original subject.

So here is this list:
Code:


(.*?)(\\\\*?)\$
\|
(select(.*?)from)
(delete(.*?)from)
(update(.*?)set(.*?)=)
(insert(.*?)into(.*?)values)
(drop(.*?)database)
(drop(.*?)table)
(mid\((.*?)\))
(char\((.*?)\))
(openrowset\((.*?)\))
(bulk(.*?)insert(.*?)from\((.*?)\))
(group(.*?)by(.*?)having)
(union(.*?)select)
(openquery\((.*?)\))
(exec(.*?)xp_execresultset)
(exec(.*?)xp_regread)
(exec(.*?)xp_regdeletevalue)
(exec(.*?)xp_regenumkeys)
(exec(.*?)xp_regenumvalues)
(exec(.*?)xp_regread)
(exec(.*?)xp_regremovemultistring)
(exec(.*?)xp_regwrite)
(exec(.*?)xp_availablemedia)
(exec(.*?)xp_dirtree)
(exec(.*?)xp_enumdsn)
(exec(.*?)xp_loginconfig)
(exec(.*?)xp_makecab)
(exec(.*?)xp_ntsec_enumdomains)
(exec(.*?)xp_cmdshell)
(exec(.*?)sp_oacreate)
(exec(.*?)sp_oamethod)
(onmouseover)
(src=(.*?))javascript
(dynsrc=(.*?))javascript
(href=(.*?))javascript
(src=(.*?))vbscript
(src=(.*?))mocha
(src=(.*?))livescript
(onload)
([\xC0][\xBC]script>)
(&lt;script>)
(<script)
CDATA
javascript:
text\/javascript
document.cookie
(&{)(.*?)}
&#([0-9]*?)
<div
SYS.USER_CATALOG
SYS.USER_TRIGGERS
SYS.USER_CONSTRAINTS
SYS.USER_TAB_COLUMNS
SYS.ALL_TABLES
SYS.USER_VIEWS
SYS.USER_TABLES
SYS.TAB
SYS.USER_OBJECTS
MSysRelationships
MSysQueries
MSysObjects
sp_OACreate
sp_OAMethod
sp_OAGetProperty
sp_addextendedproc
sp_password
sp_dropextendedproc
sp_makewebtask
dbo.sysobjects
dbo.syscolumns
dbo.sysdatabases
\\\\0
\|
\\n
\\x04
\~
\'
\"
#
--
\/\*
`
<
>
@
\)
\(
\.\.\/
(onmousemove)
(onfocus)
onblur
onclick
onkeydown
onkeypress
onkeyup
onerror
onabort
onchange
ondblclick
ondragDrop
onmousedown
onmouseout
onmouseup
onmove
onreset
onresize
onselect
onsubmit
<span
<meta
<embed
<bgsound
 
maciekp
New Member
New Member



Joined: Nov 20, 2003
Posts: 2

PostPosted: Fri Mar 05, 2004 12:09 pm Reply with quote

Here's an example of poor man's filter Smile

Code:


foreach ($_GET as $secvalue) {
   $secvalue = strtolower($secvalue);

   $jsevent =    (
      strpos($secvalue, "onload") !== false ||
      strpos($secvalue, "onclick") !== false ||
      strpos($secvalue, "ondblclick") !== false ||
      strpos($secvalue, "onkeydown") !== false ||
      strpos($secvalue, "onkeypress") !== false ||
      strpos($secvalue, "onkeyup") !== false ||
      strpos($secvalue, "onmousedown") !== false ||
      strpos($secvalue, "onmouseout") !== false ||
      strpos($secvalue, "onmouseup") !== false ||
      strpos($secvalue, "onmouseover") !== false ||
      strpos($secvalue, "onblur") !== false ||
      strpos($secvalue, "onfocus") !== false);

   $nuketable =    (
      strpos($secvalue, "nuke_users") !== false ||
      strpos($secvalue, "nuke_authors") !== false ||
      strpos($secvalue, "nuke_groups") !== false);

   if (
      (ereg("<[^>]*script*\"?[^>]*>", $secvalue)) ||
      (ereg("<[^>]*object*\"?[^>]*>", $secvalue)) ||
      (ereg("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
      (ereg("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
      (ereg("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
      (ereg("<[^>]*style*\"?[^>]*>", $secvalue)) ||
      (ereg("<[^>]*form*\"?[^>]*>", $secvalue)) ||
      (ereg("<[^>]*img*\"?[^>]*>", $secvalue)) ||
      (ereg("\([^>]*\"?[^)]*\)", $secvalue)) ||
      (ereg("\"", $secvalue)) ||
      $jsevent ||
      $nuketable)
   {
      ban_em_all_let_god_sort_em_out($_SERVER['HTTP_CLIENT_IP']);
   }
}


Strpos() is much faster than regexp compiler.
 
View user's profile Send private message Visit poster's website
sixonetonoffun







PostPosted: Fri Mar 05, 2004 12:34 pm Reply with quote

I like it!
Your 15 steps ahead of the average nuker! wink* and faster then me Sad

Keep em coming...

In my defense I'm mostly filtering $_post method forms. So speeds not as detrimental as it sounds.
 
maciekp







PostPosted: Fri Mar 05, 2004 3:58 pm Reply with quote

It was merely an example, you certainly don't want to have 100 strpos or regexp function calls.

Quote:

So speeds not as detrimental as it sounds.


You won't be saying that after someone pulls a DoS attack against your filter. I think the best way to do this job is to write a new PHP extension in C, perhaps there's one already?
 
sixonetonoffun







PostPosted: Fri Mar 05, 2004 9:51 pm Reply with quote

Your right of course thats why I said I have only applied a few words mostly ones included in your js filter and only on post variables. I'm not in fear of DoS since users have to be logged on to post (reminds me a flood function is in order for me...

I think a reasonable list say 50 or less probably more like 25 words/expressions would be reasonable. Look how big the list is for "Bad Words" on the list John Abela's site something like 170 words now? Not that I'd run that full list either...

I don't do C (Heck I barely do html some days) so if you hear of something I'd sure be interested.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Other - Discussion

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©