By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,987 Members | 971 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,987 IT Pros & Developers. It's quick & easy.

Does this php script cause a security hole?

P: n/a
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.

The script is accessed with a link like this:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

The affiliate URL is first encoded, because otherwise it breaks (the
ampersands cause problems). I tried another frame re-directing script,
but it wouldn't carry through the affiliate info properly, so someone
created this php script to encode/decode and create the frames.

Could this script be used to send harmful commands to the server? If
so, is there any way of modifying the script to fix that? Perhaps there
are other alternatives to passing an affiliate URL into a frame like
this script does?

Jason

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
border="0">
<frame src="http://www.domain.com/selectanothercard.html"
name="topFrame" scrolling="NO" noresize >
<frame src="<? echo base64_decode($url); ?>" name="mainFrame">
</frameset>
<noframes>
<body>
Your browser does not support frames.
</body>
</noframes>
</html>

<?
//////////////////////////////////////////////////////////////////////////////
// NOTES
//////////////////////////////////////////////////////////////////////////////
/*

HOW TO LINK TO THIS FRAMESET
----------------------------

* Your document that contains the links, must have the file extension
..php

EXAMPLE LINK:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

*/

//////////////////////////////////////////////////////////////////////////////
// END NOTES
//////////////////////////////////////////////////////////////////////////////
?>

Jul 17 '05 #1
Share this Question
Share on Google+
8 Replies


P: n/a
No securtiy issues that I can see (though I wouldn't take my word alone), as
it doesn't take any input from the user apart from clicking the link, which
is not handled by PHP anyway...

HTH

<ja************@yahoo.co.uk> wrote in message
news:11**********************@z14g2000cwz.googlegr oups.com...
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.

The script is accessed with a link like this:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

The affiliate URL is first encoded, because otherwise it breaks (the
ampersands cause problems). I tried another frame re-directing script,
but it wouldn't carry through the affiliate info properly, so someone
created this php script to encode/decode and create the frames.

Could this script be used to send harmful commands to the server? If
so, is there any way of modifying the script to fix that? Perhaps there
are other alternatives to passing an affiliate URL into a frame like
this script does?

Jason

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
border="0">
<frame src="http://www.domain.com/selectanothercard.html"
name="topFrame" scrolling="NO" noresize >
<frame src="<? echo base64_decode($url); ?>" name="mainFrame">
</frameset>
<noframes>
<body>
Your browser does not support frames.
</body>
</noframes>
</html>

<?
//////////////////////////////////////////////////////////////////////////////
// NOTES
//////////////////////////////////////////////////////////////////////////////
/*

HOW TO LINK TO THIS FRAMESET
----------------------------

* Your document that contains the links, must have the file extension
.php

EXAMPLE LINK:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

*/

//////////////////////////////////////////////////////////////////////////////
// END NOTES
//////////////////////////////////////////////////////////////////////////////
?>

Jul 17 '05 #2

P: n/a
On second inspection, there may be an issue if you have register globals
enabled... this is because of this code:

<? echo base64_decode($url); ?>

If you have register_globals enabled on your web-server, then an attacker
could put data into the $url variable via the URL, which is bad... In order
to fix it, I recommend sanitizing the $url var before you use it (maybe even
after you've decoded it), then once you've sanatized the input, embed it
into the href attribute of the <a> tag.

HTH

"Aidan" <no**********@linknet.com.au> wrote in message
news:ne********************@titan.linknet.com.au.. .
No securtiy issues that I can see (though I wouldn't take my word alone),
as it doesn't take any input from the user apart from clicking the link,
which is not handled by PHP anyway...

HTH

<ja************@yahoo.co.uk> wrote in message
news:11**********************@z14g2000cwz.googlegr oups.com...
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.

The script is accessed with a link like this:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

The affiliate URL is first encoded, because otherwise it breaks (the
ampersands cause problems). I tried another frame re-directing script,
but it wouldn't carry through the affiliate info properly, so someone
created this php script to encode/decode and create the frames.

Could this script be used to send harmful commands to the server? If
so, is there any way of modifying the script to fix that? Perhaps there
are other alternatives to passing an affiliate URL into a frame like
this script does?

Jason

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
border="0">
<frame src="http://www.domain.com/selectanothercard.html"
name="topFrame" scrolling="NO" noresize >
<frame src="<? echo base64_decode($url); ?>" name="mainFrame">
</frameset>
<noframes>
<body>
Your browser does not support frames.
</body>
</noframes>
</html>

<?
//////////////////////////////////////////////////////////////////////////////
// NOTES
//////////////////////////////////////////////////////////////////////////////
/*

HOW TO LINK TO THIS FRAMESET
----------------------------

* Your document that contains the links, must have the file extension
.php

EXAMPLE LINK:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

*/

//////////////////////////////////////////////////////////////////////////////
// END NOTES
//////////////////////////////////////////////////////////////////////////////
?>


Jul 17 '05 #3

P: n/a
<ja************@yahoo.co.uk> wrote in message
news:11**********************@z14g2000cwz.googlegr oups.com...
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.


I don't see any server side problem either. There could be a cross-site
scripting vulnerability in the code though. If I email the following url to
unsuspecting users of your site:

http://whatever.net/sendcard.php?url...ocument.cookie)

then I can potentially steal the cookie (PHP session id et al) when they
click on the link. I'm hedging my response a bit, because Javascript
execution is more limited in a frameset page. I'm 90% sure though that the
browser would run the JS snippet in the URL.

There's almost a potential for a phishing attack.
Jul 17 '05 #4

P: n/a
ja************@yahoo.co.uk wrote:
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script.


If in doubt, assume your code is insecure.

Basic rule of thumb is "Never use variables the come from the client for
anything without checking them first." (especially the querystring as its
the first place someone will try to tinker)

--

Rick

Digital Printing
www.intelligence-direct.com - 01270 215550
Jul 17 '05 #5

P: n/a
ja************@yahoo.co.uk wrote:
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.
I'd rather use the 'Back' button in my broswer.

The script is accessed with a link like this:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1&aid=12345");
?>" target=_top>Send Card</a>

The affiliate URL is first encoded, because otherwise it breaks (the
ampersands cause problems). I tried another frame re-directing script,
but it wouldn't carry through the affiliate info properly, so someone
created this php script to encode/decode and create the frames.
With htmlspecialchars() you get a shorter encoding.

Could this script be used to send harmful commands to the server? If
so, is there any way of modifying the script to fix that? Perhaps there
are other alternatives to passing an affiliate URL into a frame like
this script does?

Jason

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<frameset rows="50,*" cols="*" framespacing="0" frameborder="NO"
border="0">
<frame src="http://www.domain.com/selectanothercard.html"
name="topFrame" scrolling="NO" noresize >
<frame src="<? echo base64_decode($url); ?>" name="mainFrame">
Suposse that base64_decode($url); decodes to the following:

"></frameset> <script
src="http://www.badguy.com/nasty_thing.js"></script><input type="hidden"
value="

(note that the first quotes will close the starting quotes from <frame
src=" and then the <input> will leave open quotes that match the ending
quote of <frame src="...">)

The resulting HTML sent to the browser would be:

....
<frame src=""></frameset> <script
src="http://www.badguy.com/nasty_thing.js"></script><input type="hidden"
value="" name="mainFrame">
....
In that case your frameset HTML code will be compromised (nasty_thing.js
could do things like rewriting your documents, or loading a URL of its
choice into any of them [however, the browser might set some
restrictions for scripts belonging to another domain name]).

The fix is simple: use htmlspecialchars(base64_decode($url)). The quotes
will be replaced by &quot; and the processed HTML code will look like:

<frame src="&quot;&gt;&lt;/frameset&gt; &lt;script
src=&quot;http://www.badguy.com/nasty_thing.js...t&gt;&lt;input
type=&quot;hidden&quot; value=&quot;" name="mainFrame">
....

which will confuse the browser (invalid URL for src) but nothing else.
</frameset>
<noframes>
<body>
Your browser does not support frames.
You should try your best to deliver useful content to the user.
</body>
</noframes>
</html>

<snip>
Jul 17 '05 #6

P: n/a
> I'd rather use the 'Back' button in my broswer.

That would have been simpler, but it requires 2 clicks to get back to
my site, otherwise you're sent forwards again, because of how the
affiliate program is set up.

The altered script looks like the following? I don't need to adjust the
'encode' URL as well?

<frame src="<? echo htmlspecialchars(base64_decode($url)); ?>"
name="mainFrame">
</frameset>

Jason

Jul 17 '05 #7

P: n/a
"Chung Leong" <ch***********@hotmail.com> wrote in message
news:e5********************@comcast.com...
<ja************@yahoo.co.uk> wrote in message
news:11**********************@z14g2000cwz.googlegr oups.com...
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.

I don't see any server side problem either. There could be a cross-site
scripting vulnerability in the code though. If I email the following url

to unsuspecting users of your site:

http://whatever.net/sendcard.php?url...ocument.cookie)

then I can potentially steal the cookie (PHP session id et al) when they
click on the link. I'm hedging my response a bit, because Javascript
execution is more limited in a frameset page. I'm 90% sure though that the
browser would run the JS snippet in the URL.

There's almost a potential for a phishing attack.


Yup, it does work. The following code will bring up the PHP session id:

<? session_start(); ?>
<frameset rows="50,50">
<frame src="http://localhost/test/info.php">
<frame src="javascript: alert(parent.document.cookie);">
</frameset>

To actually exploit it, someone would replace alert() with code that send
the cookie to another web site.

Jul 17 '05 #8

P: n/a
<ja************@yahoo.co.uk> wrote in message
news:11**********************@z14g2000cwz.googlegr oups.com...
Someone told me the following script could be used to run harmful
commands on the server, by passing commands into the script. What the
script does is encode an affiliate URL, create two frames, with the
affiliate URL decoded and placed in the bottom URL. The top frame
contains http://www.domain.com/selectanothercard.html for navigation
back to the originating site.

The script is accessed with a link like this:

<a href="sendcard.php?url=<? echo
base64_encode("http://affiliateurl.com/ecards/fourthjuly11107/index.php?en=1
&aid=12345"); ?>" target=_top>Send Card</a>

The affiliate URL is first encoded, because otherwise it breaks (the
ampersands cause problems). I tried another frame re-directing script,
but it wouldn't carry through the affiliate info properly, so someone
created this php script to encode/decode and create the frames.
And your problem with using urlencode is? Furthermore, is it realy nessecary
to send all that information to your server via a URL?
Could this script be used to send harmful commands to the server?


Yes, but the problem does not rest with the affiliate script, it depends on
the what the script (sendcard.php) that processes the link does with the
information.

Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.