For those of you who have "Allow HTML" turned on..

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

For those of you who have "Allow HTML" turned on..

Post by clubchill » Tue Jul 11, 2006 9:34 am

How many of you are allowing the <DIV> tag?

On my site I have just about all tags allowed exept for the DIV tag and the SCRIPT tag, because I'm trying to be at least somewhat cautious about use of HTML on the site, without having to turn it off. But I'm noticing that alot of users have been spoiled by myspace and other such sites like blackplanet, migente, etc, that do allow the DIV tag etc, not to mention the plethora of "helper" sites which give you code to use on these other sites; codes which contain the div tag and any number of attributes like filter, stlye, etc.

What are your thoughts on this?

Does the DIV tag present any more of a security risk above and beyond use of any other tag?

rick`
Registered User
Posts: 228
Joined: Wed Jun 02, 2004 5:09 am
Contact:

Post by rick` » Tue Jul 11, 2006 9:47 am

If I could specify what attributes were allowed for what tags, I might change my mind on turning it on. But untill then, it's staying off.

NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Re: For those of you who have "Allow HTML" turned

Post by NeoThermic » Tue Jul 11, 2006 1:03 pm

clubchill wrote: Does the DIV tag present any more of a security risk above and beyond use of any other tag?


Dear {DEITY}. Forget the DIV tag, disable usage of the SCRIPT tag. People can use that ability to conduct Cross Site Scripting, and do things like stealing your cookies (and thus they can log in as you assuming they get to the cookie quick enough). They can also do some very... intresting things in the users browser which could lead to people disclosing their passwords (i.e. the attacker could phish for passwords with some javascript).

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

Newfie
Registered User
Posts: 221
Joined: Mon Feb 20, 2006 12:08 am
Location: A Canadian Province - guess which one?

Re: For those of you who have "Allow HTML" turned

Post by Newfie » Tue Jul 11, 2006 4:23 pm

NeoThermic wrote: ...do things like stealing your cookies...


Who stole the cookies from the cookie jar? Who, me? Yes you! :lol:

TZX
Registered User
Posts: 102
Joined: Sat Jun 24, 2006 3:14 pm

Post by TZX » Tue Jul 11, 2006 4:44 pm

I only allow the following html codes:

Code: Select all

 <b>
<pre>
<i>
<u>
<strike>
<span>
<hr>

clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

Re: For those of you who have "Allow HTML" turned

Post by clubchill » Tue Jul 11, 2006 5:29 pm

NeoThermic wrote:
clubchill wrote:Does the DIV tag present any more of a security risk above and beyond use of any other tag?


Dear {DEITY}. Forget the DIV tag, disable usage of the SCRIPT tag. People can use that ability to conduct Cross Site Scripting, and do things like stealing your cookies (and thus they can log in as you assuming they get to the cookie quick enough). They can also do some very... intresting things in the users browser which could lead to people disclosing their passwords (i.e. the attacker could phish for passwords with some javascript).

NeoThermic


oh yeah.. the <SCRIPT> tag is definitely disabled on my site. I know at least that much. But what about <DIV>? You can't phish with a positioning element can you? I'm trying to weigh whether or not I should turn on DIV and what serious damage can be done with it?

NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Re: For those of you who have "Allow HTML" turned

Post by NeoThermic » Tue Jul 11, 2006 5:49 pm

clubchill wrote: oh yeah.. the <SCRIPT> tag is definitely disabled on my site. I know at least that much. But what about <DIV>? You can't phish with a positioning element can you? I'm trying to weigh whether or not I should turn on DIV and what serious damage can be done with it?


I myself wouldn't enable <div> or its semi-related element <span> mainly because both can be used to break layouts. I also can't find any legitimate reason for someone to make a post with a <div> in it. If you only have HTML enabled for those two tags, I would just disable it and look into BBCode mods if there's HTML functionality that you wish to emulate with BBCodes.

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

SamG
Former Team Member
Posts: 3221
Joined: Fri Aug 31, 2001 6:35 pm
Location: Beautiful Northwest Lower Michigan
Name: Sam Graf

Post by SamG » Tue Jul 11, 2006 7:31 pm

rick` wrote: If I could specify what attributes were allowed for what tags, I might change my mind on turning it on. But untill then, it's staying off.

Exactly. The ability to script events (including within <div>) is too close to enabling <script> itself for my tastes.

SAK `
Registered User
Posts: 958
Joined: Wed Oct 26, 2005 12:01 pm
Location: Places where authorities can't see me.
Contact:

Post by SAK ` » Tue Jul 11, 2006 11:36 pm

My goal is to make sure I use DIV and SCRIPT tags for my own purpose, not for another crappy website that does nothing but humiliate the innocent, install adware, re-direct to or overlap an existing webpage with a porn site, and so forth. That's not in my bottle of Faygo, nope.

$.@.K.
The Serial AD Killa trademark is no more. 2003-2007

User avatar
Elias
Registered User
Posts: 4626
Joined: Sat Feb 25, 2006 4:31 pm
Location: In the Water!
Name: Elias

Post by Elias » Tue Jul 11, 2006 11:59 pm

I got it disabled. Heard that theres a huge hack that can hit your forum if you got it enabled.
"Mystery creates wonder, and wonder is the basis of man's desire to understand." - Neil Armstrong
|Installing Extensions|Writing Extensions|Extension Validation Policy|

User avatar
DeViAnThans3
Registered User
Posts: 877
Joined: Sat Oct 08, 2005 10:39 pm
Location: Belgium

Post by DeViAnThans3 » Wed Jul 12, 2006 6:35 pm

I'ld rather just turn off HTML; I also have it disabled.
However, if you want to enable it, the default entered should suffice, and are pretty secure (the available events which could be attached to those, are rather minimal)

span, div, table, tr, td should be disabled, because they can change or even let the template "crash". Also disable img, due to the following reason.

attention with the image tag! there is an onerror() javascript event which could be attached to the image tag; and the user can make a special image with a changed bit, which will result in an image error ... et voila : the onerror() event is activated => and if this onerror event contains something like

Code: Select all

onerror("window.location.href='http://www.anotherwebsite.com';")
everyone who access the same topic page, will be redirected to "www.anotherwebsite.com" immediatly. :wink:
I only provide support via the appropriate topics! Please no PM or mails! :)
My MODs :: [BETA] Facebook Connect

NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic » Thu Jul 13, 2006 2:37 pm

DeViAnThans3 wrote: attention with the image tag! there is an onerror() javascript event which could be attached to the image tag; and the user can make a special image with a changed bit, which will result in an image error ... et voila : the onerror() event is activated => and if this onerror event contains something like

Code: Select all

onerror("window.location.href='http://www.anotherwebsite.com';")
everyone who access the same topic page, will be redirected to "www.anotherwebsite.com" immediatly. :wink:


Not exactly. The changes to the HTML parser code will reject any tag that appears to have a javascript 'on{event}' attribute. Have a look at the function clean_html in functions_post.php

If you're able to bypass it, as always, tell us so at the security tracker.

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

clubchill
Registered User
Posts: 90
Joined: Fri Oct 21, 2005 10:50 am

Post by clubchill » Thu Jul 13, 2006 9:50 pm

Great! Thanks for the feedback guys. I really appreciate it.

User avatar
DeViAnThans3
Registered User
Posts: 877
Joined: Sat Oct 08, 2005 10:39 pm
Location: Belgium

Post by DeViAnThans3 » Thu Jul 20, 2006 1:09 pm

NeoThermic wrote:
DeViAnThans3 wrote:attention with the image tag! there is an onerror() javascript event which could be attached to the image tag; and the user can make a special image with a changed bit, which will result in an image error ... et voila : the onerror() event is activated => and if this onerror event contains something like

Code: Select all

onerror("window.location.href='http://www.anotherwebsite.com';")
everyone who access the same topic page, will be redirected to "www.anotherwebsite.com" immediatly. :wink:


Not exactly. The changes to the HTML parser code will reject any tag that appears to have a javascript 'on{event}' attribute. Have a look at the function clean_html in functions_post.php

If you're able to bypass it, as always, tell us so at the security tracker.

NeoThermic

:oops: oh lol :lol:
i didn't know that; i never tried it myself :wink:
I only provide support via the appropriate topics! Please no PM or mails! :)
My MODs :: [BETA] Facebook Connect

Rajapan
Registered User
Posts: 2
Joined: Fri Jan 13, 2006 6:00 pm
Contact:

Post by Rajapan » Fri Jul 21, 2006 2:06 pm

I have disabled all html tags. God knows when some body invents (or discovers) a new exploit. But in my opinion our phpbb must be the most secure php script. Especially after those attacks during 2004-2005. Thanks to the hackers. ;)

Post Reply

Return to “General Discussion”