vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Why is letting HTML dangerous? (https://vborg.vbsupport.ru/showthread.php?t=153764)

Lea Verou 07-30-2007 04:08 AM
Why is letting HTML dangerous?
 
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?

Dismounted 07-30-2007 06:04 AM
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.

ablaye 07-30-2007 08:49 PM
Quote:
Originally Posted by Dismounted (Post 1305103)
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.
Can you provide an example??? :D

cheat-master30 07-30-2007 09:09 PM
Quote:
Originally Posted by Michelle (Post 1305051)
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?
  1. They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
  2. As said, Javascript cookie stealing.
  3. Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
  4. Iframes to embed viruses and other malware.
  5. Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
  6. Crashing the browser with an extremely large image.
  7. Redirects to other, potentially dangerous/offensive pages.
  8. Browser exploits.
  9. Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...

Dismounted 07-31-2007 05:59 AM
Quote:
Originally Posted by ablaye (Post 1305663)
Can you provide an example??? :D
No, because then you'd go around trying to exploit forums...

Lea Verou 07-31-2007 06:08 AM
Quote:
Originally Posted by cheat-master30 (Post 1305673)
  1. They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
  2. As said, Javascript cookie stealing.
  3. Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
  4. Iframes to embed viruses and other malware.
  5. Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
  6. Crashing the browser with an extremely large image.
  7. Redirects to other, potentially dangerous/offensive pages.
  8. Browser exploits.
  9. Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...
So, they can't harm the whole site, just the current page?
If so, then these blogging sites are not doing anything dangerous, each blog is its blogger's responsibility...

Dismounted 07-31-2007 06:20 AM
But your forum is your responsibility.

Lea Verou 07-31-2007 06:35 AM
Quote:
Originally Posted by Dismounted (Post 1305960)
But your forum is your responsibility.
Definately. :)
But I'm going to add blogs to it, and I'm wondering if I should let them customize the whole html template or just the css. That's why I asked :)

vertigo jones 07-31-2007 01:33 PM
There's also things like that Myspace friends worm that happened early on over there.

Had some shit where there was some javascript embedded on someone's profile and then everyone who came to that page was added as a friend to that person AND it also copied itself to the viewing person's profile. Within a day or so the guy who started it was friends with everyone on Myspace. Something like that.

People can do weird, potentially dangerous things when they can stick whatever javascript they want on a page.

Lea Verou 08-01-2007 08:47 AM
So I'd better let them customize just the css?
Are there any exploits that someone can perform from css?
(We suppose that the code will strip html tags so that's not the case)

EnIgMa1234 08-01-2007 09:03 AM
Yea I think CSS is ok

Dismounted 08-01-2007 09:09 AM
Letting CSS is okay, as exploits shouldn't be able to run from it.

Lea Verou 08-01-2007 09:49 AM
Then why wordpress has this in the CSS comments?:

Quote:
Things we strip out include:
* HTML code
* @import rules
* expressions
* invalid and unsafe code
* URLs not using the http: protocol
(Wordpress lets users customize only the css)

Dismounted 08-01-2007 09:58 AM
Hmmm, in theory, browsers should parse CSS as CSS and nothing more. Haven't tested this across multiple browsers though.

nico_swd 08-01-2007 11:29 AM
This will be useful.

http://htmlpurifier.org/

Fabsboards 08-02-2007 05:01 AM
Are there any options to limit HTML to "trusted" users, perhaps admins and moderators?

Dismounted 08-02-2007 06:22 AM
Not in stock vBulletin. There is a modification that does this though.

Adrian Schneider 08-02-2007 07:00 AM
CSS can be dangerous too. There are even some vulnerabilities which rely on CSS, such as the cursor exploit.

Fabsboards 08-03-2007 12:43 AM
Quote:
Originally Posted by Dismounted (Post 1307808)
Not in stock vBulletin. There is a modification that does this though.
Do you know the name of the modification? I'd love to use it.

Dismounted 08-03-2007 10:53 AM
Not off the top of my head.

Lea Verou 08-03-2007 07:28 PM
Quote:
Originally Posted by SirAdrian (Post 1307836)
CSS can be dangerous too. There are even some vulnerabilities which rely on CSS, such as the cursor exploit.
How can someone "purify" the CSS then, apart from stripping out HTML code?

Adrian Schneider 08-03-2007 08:17 PM
You can't really. However this was a browser exploit (actually windows thing, but only affected IE). Windows had a bug with parsing the cursor files, so basically it would execute it as raw code or something, which then lead to the installation of about 5 different viruses :(

[off topic]: working on a clients site, and i had up to date virus definitions... i am very prompt with that kind of thing. he says there is a problem with his site, like it's been hacked or something. so I view it with firefox... looks fine. so he tells me to view it with IE and that was the end of it. It got in so deep I had to reformat my PC and I was off for about a week :( all this from a CSS exploit!

I would strip out some annoying CSS things. Be careful with allowing it though, because they can change nearly everything on the page with CSS!


All times are GMT. The time now is 03:38 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01252 seconds
  • Memory Usage 1,763KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (8)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (22)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete