vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Reasons never to allow HTML (https://vborg.vbsupport.ru/showthread.php?t=68184)

CarCdr 08-09-2004 10:00 PM
Reasons never to allow HTML
 
This was written in response to various queries regarding the use of HTML, most recently in this thread.
-----------------

In general, one is probably fine allowing bbcodes, although I do not know if bbcodes like IMG and URL are safe. (See below.)

While vB provides the capability to allow HTML, one should never use it. It opens your board to attack.

Use bbcodes. If you need to emulate an HTML tag, write a new bbcode.

The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are:

1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board.

2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples:
a) <sc\0ript> becomes <script>
b) <scr<embed>ipt> becomes <embed> or <script>

3. Then there is the issue of malicious tag attributes and events such as onclick and onmouseup.

--------
Potentially dangerous tags that accept URL's:
A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, TR

Dean C 08-10-2004 11:11 AM
I'll move this over to modifications hints and tips - I think we need a rename of that forum :)

Natch 08-10-2004 10:19 PM
Handy Hints 4 Board Admins?

deathemperor 08-10-2004 11:52 PM
good hints
HTML is magic.

Gutspiller 08-17-2005 09:41 PM
Or you can just censor certain html tags and be a little safer:

Code:
<style </style <iframe </iframe <link </link <basefont </basefont <base </base <th </th <tfoot </tfoot <tbody </tbody <thead </thead <body </body <meta </meta <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover <fieldset :absolute style="position "position absolute; <caption onMouseOut view-source
:ermm:

Zachery 08-17-2005 09:44 PM
Quote:
Originally Posted by Gutspiller
Or you can just censor certain html tags and be a little safer:

Code:
<style </style <iframe </iframe <link </link <basefont </basefont <base </base <th </th <tfoot </tfoot <tbody </tbody <thead </thead <body </body <meta </meta <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover <fieldset :absolute style="position "position absolute; <caption onMouseOut view-source
:ermm:
Censor is really easy to get around :)

FrozenCreations 08-24-2005 10:54 PM
i have an even better reason /;

do not alow <img /> tags!!

<HTML>
<BODY>
<IMG SRC="./bsod.gif" width="9999999"height="9999999" />
</BODY>
</HTML>

INSTANT DOOM!! muahahahahahaha

(it chrashes the page ;)

AN-net 08-25-2005 05:23 AM
Quote:
Originally Posted by Gutspiller
Or you can just censor certain html tags and be a little safer:

Code:
<style </style <iframe </iframe <link </link <basefont </basefont <base </base <th </th <tfoot </tfoot <tbody </tbody <thead </thead <body </body <meta </meta <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover <fieldset :absolute style="position "position absolute; <caption onMouseOut view-source
:ermm:
there are still so many more possibilities to use vicious javascript and code

FrozenCreations 08-25-2005 08:14 PM
and theres always my instant doom img tag :)

the downside is, you gota upload your own pic /;

Tradjick 09-28-2005 03:17 AM
And when enabling HTML only for Admins, would that be safe, beside the risk that someone gets Admin access?

EliasAlucard 01-30-2013 02:44 PM
Do they have to register an account and write something in the HTML-enabled section in order to exploit security vulnerabilities, or is it enough to just enable HTML in the first place in order to open up the forum for vulnerabilities?

Digital Jedi 01-30-2013 03:10 PM
Quote:
Originally Posted by EliasAlucard (Post 2400527)
Do they have to register an account and write something in the HTML-enabled section in order to exploit security vulnerabilities, or is it enough to just enable HTML in the first place in order to open up the forum for vulnerabilities?
The risk is someone using the HTML on your forum. So whatever usergroup has the ability, is where the risk lies.

EliasAlucard 01-30-2013 03:16 PM
Quote:
Originally Posted by Digital Jedi (Post 2400533)
The risk is someone using the HTML on your forum. So whatever usergroup has the ability, is where the risk lies.
Do they have to post with special HTML tags or is it enough that someone posts something like <sup> in order to enable HTML to become a vulnerability risk?

Digital Jedi 01-30-2013 05:04 PM
Quote:
Originally Posted by EliasAlucard (Post 2400535)
Do they have to post with special HTML tags or is it enough that someone posts something like <sup> in order to enable HTML to become a vulnerability risk?
The danger doesn't come from the HTML just existing in a post. The danger comes from the person posting using raw HTML code.

Whatever HTML code he puts in a post, becomes that on the forum. If he posts the code that makes a table, it becomes a table in his post. If he posts the raw HTML code for embedding a YouTube video, it becomes an embedded YouTube video in his posts.

So the danger comes from the person, and what he's choosing to post. If he wants to post malicious code, he has fee access to do so. That's why BBCode is more secure. BBCode only turns into the HTML you decided it will turn into.

NOTE: Don't confuse this with the [HTML][/HTML] BBCode tags. This has nothing to do with what they're talking about above. This just displays code in such a way that it stays formatted. No matter what anyone puts here, it will just display text with the spacing preserved and color coding added.

HTML Code:
<table>
    <tr>
          <td>This is just a way to share code. It can't actually turn into a table.</td>
    </tr>
</table>

final kaoss 01-30-2013 09:31 PM
Wow a 9 year old thread revived?


All times are GMT. The time now is 02:35 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01331 seconds
  • Memory Usage 1,752KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_code_printable
  • (1)bbcode_html_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (15)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete