Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Pages: 1 [2]

Author Topic: [Urgent] Searching in form generates fatal error  (Read 1206 times)

mosh

  • Hero Member
  • *****
  • Karma: 77
  • Posts: 510
  • Awesome day :)
    • cms-zen
Re: [Urgent] Searching in form generates fatal error
« Reply #15 on: April 02, 2012, 07:08:35 AM »

i switched back to the vanilla cleanXSS and filterTags,
on function filterTags i comment out this part
Code: [Select]
<?php
if (!$tagOpen_end) {
$preTag .= $postTag;
$tagOpen_start strpos($postTag'<');
}

this remove the <>  characters from the results and all errors.
it needs to be tested for side effects.

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Re: [Urgent] Searching in form generates fatal error
« Reply #16 on: April 02, 2012, 11:14:51 AM »

to address the newer issue, I figured that until the whole thing can be rewritten, I needed to be able to kill the while iteration that was adding data to the message.
To that end, this is the complete start to the filterTags  function
Quote
//FILTER TAGS
function filterTags($source) {
   global $tagBlacklist;
   $preTag = NULL;
   $postTag = $source;
   $tagOpen_start = strpos($source, '<');
        $count_start = substr_count($source, '<');
        $count_end = substr_count($source, '>');
        $counter = 0
;

   while($tagOpen_start !== FALSE) {
            $counter++;
            if ($counter == $count_end || $counter == $count_start) break
;

So far, I haven't had any anomalous issues.
Logged
Of all the things I have lost, it is my mind that I miss the most.

mosh

  • Hero Member
  • *****
  • Karma: 77
  • Posts: 510
  • Awesome day :)
    • cms-zen
Re: [Urgent] Searching in form generates fatal error
« Reply #17 on: April 02, 2012, 11:58:29 AM »

to address the newer issue, I figured that until the whole thing can be rewritten, I needed to be able to kill the while iteration that was adding data to the message.
To that end, this is the complete start to the filterTags  function
Quote
//FILTER TAGS
function filterTags($source) {
   global $tagBlacklist;
   $preTag = NULL;
   $postTag = $source;
   $tagOpen_start = strpos($source, '<');
        $count_start = substr_count($source, '<');
        $count_end = substr_count($source, '>');
        $counter = 0
;

   while($tagOpen_start !== FALSE) {
            $counter++;
            if ($counter == $count_end || $counter == $count_start) break
;

So far, I haven't had any anomalous issues.

Search with id <><><> 3
There are no results for query id <><><> 3<><> 3<> 3


« Last Edit: April 02, 2012, 12:06:47 PM by mosh »
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Re: [Urgent] Searching in form generates fatal error
« Reply #18 on: April 02, 2012, 02:25:07 PM »

filterTags() seems overly complicated and convoluted.

Plus, these strange issues.
Ah well, shall carry on banging head on table ;)
Logged
Of all the things I have lost, it is my mind that I miss the most.

mosh

  • Hero Member
  • *****
  • Karma: 77
  • Posts: 510
  • Awesome day :)
    • cms-zen
Re: [Urgent] Searching in form generates fatal error
« Reply #19 on: April 02, 2012, 04:15:11 PM »

Quote
Ah well, shall carry on banging head on table ;)

 ;D

the cleanxss needs to be rewritten.

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: [Urgent] Searching in form generates fatal error
« Reply #20 on: April 04, 2012, 12:29:44 PM »

Before you do that, why not look at the problem here first....

So this is the search bar?  Why would you want to allow any other characters other than A-Z or 0-9? Something like <> wouldn't be allowed.

Just a thought...
Logged

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: [Urgent] Searching in form generates fatal error
« Reply #21 on: April 04, 2012, 12:36:50 PM »

filterTags() seems overly complicated and convoluted.

http://www.phpclasses.org/browse/file/8942.html
and appears to have not been written by invarbrass, possibly outdated, not thoroughly tested, and not given credit...
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Re: [Urgent] Searching in form generates fatal error
« Reply #22 on: April 04, 2012, 03:55:19 PM »

Before you do that, why not look at the problem here first....

So this is the search bar?  Why would you want to allow any other characters other than A-Z or 0-9? Something like <> wouldn't be allowed.

Just a thought...

Not just search bar, but comments as well.
Original memory issue bogged the site down if <> were used ie, like id<>3. Now, we are seeing anomalous characters being added after filtering. Character sets like this should be possible in comments.
Logged
Of all the things I have lost, it is my mind that I miss the most.

sibas

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 451
    • www.simply4all.net
Re: [Urgent] Searching in form generates fatal error
« Reply #23 on: April 05, 2012, 12:39:50 AM »

I like the idea of nukpana
Allow only characters A-Z - 0-9 for search and comments.
Security must be first as fatal error in memory easily can lead in buffer overflow hack.

In my pc with official snews 1.7
id <> 3 returns
Quote
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 33554438 bytes) in C:\xampplite\htdocs\snews-official\snews.php on line 3484
Call Stack
#   Time   Memory   Function   Location
1   0.0003   339560   {main}( )   ..\index.php:0
2   0.0163   2468352   center( )   ..\index.php:37
3   0.0163   2468440   search( )   ..\snews.php:523
4   0.0164   2468472   cleanXSS( )   ..\snews.php:1320
5   0.6065   36022952   filterTags( )   ..\snews.php:3451

If I try
id <> global <> $fail
continues and returns one more
Quote
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 1003357 bytes) in C:\xampplite\htdocs\snews-official\snews.php on line 3499
Call Stack
#   Time   Memory   Function   Location
1   0.0004   339616   {main}( )   ..\index.php:0
2   0.0167   2468400   center( )   ..\index.php:37
3   0.0167   2468488   search( )   ..\snews.php:523
4   0.0167   2468520   cleanXSS( )   ..\snews.php:1320
5   0.0394   3475640   filterTags( )   ..\snews.php:3451
6   9.1369   132152992   substr ( )   ..\snews.php:3499

And if I try something else like
$categorySEF <> global <> $fail <> 3
return
Dont try this if you have slow PC
Quote
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 342676 bytes) in C:\xampplite\htdocs\snews-official\snews.php on line 3499
Call Stack
#   Time   Memory   Function   Location
1   0.0003   339664   {main}( )   ..\index.php:0
2   0.0168   2468440   center( )   ..\index.php:37
3   0.0168   2468528   search( )   ..\snews.php:523
4   0.0168   2468560   cleanXSS( )   ..\snews.php:1320
5   0.0362   2815856   filterTags( )   ..\snews.php:3451
6   26.8479   132526736   substr ( )   ..\snews.php:3499

Check the time!!
After this I stop to trying more because I don't want to barbecue my CPU.  >:(
« Last Edit: April 05, 2012, 12:50:16 AM by sibas »
Logged

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: [Urgent] Searching in form generates fatal error
« Reply #24 on: April 05, 2012, 05:28:36 AM »

Before you do that, why not look at the problem here first....

So this is the search bar?  Why would you want to allow any other characters other than A-Z or 0-9? Something like <> wouldn't be allowed.

Just a thought...

Not just search bar, but comments as well.
Original memory issue bogged the site down if <> were used ie, like id<>3. Now, we are seeing anomalous characters being added after filtering. Character sets like this should be possible in comments.
Right but you don't need to use the same function for both applications.... one can use certain characters and another shouldn't.

The search bar could be simply (probably bad coding...):
Code: [Select]
// space, letters, and numbers only
preg_replace('/[^ A-Za-z0-9]/i', '', $source);

So an XSS to the search bar like so:
Code: [Select]
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>would look like this:
Code: [Select]
SCRIPTSRChttphackersorgxssjsSCRIPT
Comments could be: (noted from here - yes doing some research to see what is out there...):
Code: [Select]
$str = mb_convert_encoding($str, 'UTF-8');
$str = htmlentities($str, ENT_QUOTES, 'UTF-8');

Same test would look like:
Code: [Select]
&lt;SCRIPT/SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;
The question is really what do you (the user of the script) want to allow and throw away?  Again, more testing is needed as these may not be end solutions, but it is more targeted and appears to be alot more efficient than what is already there.

More reading as well:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Logged

sibas

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 451
    • www.simply4all.net
Re: [Urgent] Searching in form generates fatal error
« Reply #25 on: April 05, 2012, 05:59:34 AM »

owasp is very nice rescue site,
you can try this video to see how much easy to break anything.
Logged
Pages: 1 [2]