Session Hijacking - BBCODE

[chaoswar4u]

Thanks to Immortalthug trying his tricks on my site the logs showed me all his methods and some bugs fixed.

 

I would say Immortalthug to ask in future before messing around on my site, unless your intent was to cause chaos, then as they say what goes around comes around.

Be careful with this dude people!

 

This issue im unsure on resolving is my forums and profile signatures. They indeed use BBCODE which has security issues that link to the session hijacking exploit.

 

Im aware of the methods and have them implemented regarding verifing a single image but unsure of the most effective way to secure a forum or profile sig that contains multiple images.

 

Most of which use the tag and of which is used to exploit the session hijacking. Yes I could disable this tag but would also disable 75% of all sigs on my site that contain images.

 

Im aware that I could change the file that is always exploited however id prefer to stop the exploit direct.

Does anyone have any advice to resolve this issue.

 

Many thanks in advance.

Chaos

[Zero-Affect]

I come across this method about 10 month ago it's not very new im sure BUG may have got the idea from External Link. I don't think BUG really did mean any harm but Bug you do need to ask permission...

maybe getimagesize() would work?

[Analog]

I'm not sure how to secure the tag but...

With the seasion hi-jacking couldn't you store an accounts host (not IP) at login in a separate table and then check against that to prevent it.

[iSOS]

getimagesize() is a decent prevention method, but it only checks the first few bytes of the image, so anything after the first bytes are not validated & anyone with know how can insert code into there images.

Another method could be just allow linking to *trusted* image hosts, imageshack ect.

Or allow uploading of images. (IMO alot better than linking to them as it allows more control over what's on your site.)

[seanybob]

The most common method I'm aware of for session hijacking via bbcode with the img tag involves escaping the 'src' tag when the bbcode is parsed.

And... to do that, they have to find a site that has a bbcode parser that doesn't strip apostrophes and/or allows spaces (depending on how it is parsed).

Do a php str replace on all bbcode img tags, and replace spaces, single quotes, and double quotes with an empty string. That'll take care of skiddies. I doubt you'll have to worry about some of the more creative techniques.

[iSOS]

I don't think he's actually talking about session hijacking in this instance, I believe it's more of a case of people linking to images, that aren't images.

For instance using .htaccess to change .php into .gif, or linking straight to a URL, maybe changing yourself to an admin.

[Zero-Affect]

would

<?php
$db->query('UPDATE `users` SET `user_level` = 2 WHERE userid='.$_GET['ID']);
?>

even work if included that way, i think not but if your referring to them linking to staff_specials then i get what your saying.

[iSOS]

Just linking to scripts in general, It doesn't have to be an MC script, could be a script that redirects you to another website, anything I guess.

[Zero-Affect]

yeah i understand it's not directed to MCC it was a example but yeah i kind of provided a example earlier with the external link to dev-forum =>

[img=logout.php]

 

[Zeggy]

I think checking the extension should be good enough. As long as the urls have an image extension then nothing too bad should happen to your site.

Make sure file.gif will pass the check, but not file.php?bla=.gif

If the external server is serving php files with the .gif extension then any php code is executed on their server. It shouldn't have any affect on yours. (But this means they can track your users)

You could use getimagesize to make sure the format is an image, but getimagesize downloads the entire image, and if you are running this on every single image tag on every page load, if the images are very large your page can slow down a lot!

But the best way is as zed said, only trust popular image host urls, don't just allow any image url.

[Zero-Affect]

You could use getimagesize to make sure the format is an image, but getimagesize downloads the entire image, and if you are running this on every single image tag on every page load, if the images are very large your page can slow down a lot!

You do have a point but you could also restrict image size to like 40 kb or something and the actually resolutions of the image also...

[Zeggy]

You can't really restrict that if the images are hosted off-site.

Unless you want to scan through every image linked then figure out if they are above or below the restrictions :)

But if you do that with getimagesize then your server has downloaded the image already.

Think of it this way - if you use getimagesize, your server needs to download the image, then the client needs to download the image to the browser as well - possibly doubling the user's load time or worse.

 

But my point (that I forgot to make :P) was that you can get image size in other ways without using getimagesize and without downloading the entire image - just the first few bytes of image data.

[iSOS]

exif_imagetype() for example, also 'image_type_to_mime_type' I believe as you can associate that with exact image types.

[Joshua]

lol oh so it did work >,<

One of your Ex-Staff is having me build a game for him I was showing him something that needed to be stopped on his site ^_^

I am curious as to how to stop that as I was showing him why sigs with images using bbcode = bad

tbh I'm not 100% how to stop it as not everything in a sig is meant to be a picture, so using getimagesize would cancel out all non images, i am open suggestions tho.

Yea, no harm was intended, i just did a few basic tricks, was moderately impressed at the site being sudo secure figure'd id check the image tag.

Sorry if I lead you in the wrong direction and yea, I should have asked I was just on the phone with client when i was doing it as we were discussing your game

 

Appologies.

If i was trying to do something....malicious I wouldnt have used my board name ^_-

[rulerofzu]

Try using nbbc on sourceforge rather than the bbcode thats with mc2.

[chaoswar4u]

Well id like to thank everyone for there help on this however im yet to come up with anything that im happy with.

 

Ive tried the getimage size method but as I expected kills the whole signature.

 

I chose to mess around with Seany Bobs method.

 

I thought about using the following -

 

$text = str_replace(array(".php" , ".html", ".htm"), array("", "", ""), $text);

 

Im unsure if this is a good way to go.

 

It seems to resolve the linking issue. I will no doubt change the file that usally gets exploited for giving staff powers to people who exploit such a bug for extra security.

 

I did this awhile ago but due to past issues ive removed the and tags. The tag is a pain in the arse in general. Not only the issue with setting as admin on clicking on there profile but with members setting out links for normal actions to be made by any member.

 

 

 

The email tag I removed due to a wierd bypass I had sometime ago where they used a redirect using them tags to do site actions also.

 

I think the fix above may have stopped this anyway however I dont think the codes are required.

 

 

 

Does this above example break any of the BBCODE that anyone can see.

 

 

 

Thoughts and improvements welcome.

[Zero-Affect]

Sorry if I lead you in the wrong direction and yea, I should have asked I was just on the phone with client when i was doing it as we were discussing your game

Sorry but you was explaining to one of your clients what was wrong with his game?

$text = str_replace(array(".php" , ".html", ".htm"), array("", "", ""), $text);

not the best solution due to .htacess you can rewrite gif into php easily and bypass that one, personally i like Zeds suggestion.

[Zeggy]

Any external php files linked will be executed on the external server anyways.

It's not like they can use your database connection or read your files :)

[Haunted Dawg]

Ahh, i got to love this.. So far no one has came up with a fix. It's pretty easy really.

Let's see...

Go to your bbcode script and locate these 2 line's:

$this->engine->cust_tag("/\[img\](.+?)\[\/img\]/","");

$this->engine->cust_tag("/\/","");

Replace those with:

$this->engine->cust_tag("/\[img\](.+?)\[\/img\]/","");

$this->engine->cust_tag("/\/","");

Now locate this:

function bbcode_parse($html)

{

return $this->engine->parse_bbcode($html);

}

}

And change it to

function bbcode_parse($html)

{

return $this->engine->parse_bbcode($html);

}

function cleanIMG($string) {

if(stripos($string,'php')) {

return ''; //We return it as nothing

}

else {

return $string;

}

}

}

 

It is untested at this moment, but i think that is how i done it last time, remmember, havent been coding for about 5 month's now and i don't even have my program's and my old script's. But will ask some one to test it a.s.a.p

[Zeggy]

All that does is disallow images with 'php' in the name.

What about php.gif?

What about exploit.phtml?

A solution would be to compare the extension of the linked images against a whitelist of allowed image file types.

[chaoswar4u]

Can someone please post a fix to this.

 

To be honest ive spent hrs on the internet. Everyone has the issue and not one place ive been to offers an effective fix.

[chaoswar4u]

Lines needed to be secured.

 

$text = preg_replace("/\/", "", $text);

$text = preg_replace("/\[img\](.+?)\[\/img\]/", "", $text);

[Zero-Affect]

I am rubbish with preg coding but let me have a look

$text = preg_replace('/src=[\'"]?([^\'" >]+)[\'" >]/', '[img='.$1.']', $text);

maybe?

[chaoswar4u]

Parse error :(

[chaoswar4u]

I fixed the parse error on your example CrimGame however all it does is make all the images show as text.