Session Hijacking - BBCODE

[Zeggy]

$text = preg_replace("/\[img=(.+?)\]/", imagefix($1), $text);

function imagefix($s)
{
   if (stripos($s, 'http://') === 0 && stripos($s, 'yoursite.com') === false)
       return $s;
   else
       return '';
}

 

This makes sure every image url begins with 'http://'.

I believe this is the only actual solution to the problem after reading this thread for a while now...

Any other solutions (checking extension, checking image size) can all be circumvented since the images are hosted off-site. You cannot control how those files are served or how those files will change over time.

Checking that the image is hosted externally, not on your website, will make sure they can't just include logout.php (as crimgame's example).

The best solution would just be to only allow external images from accepted image hosts.

 

Note: This implementation is really bad, I just wrote it up in like 10 seconds. Obviously this particular implementation means they won't be able to link to images hosted on your site, if you're hosting images or stuff. If anybody wants to improve it then feel free, the concept is more important.

[Zero-Affect]

would not something similar to

<?php
	$img = 'http://static.php.net/www.php.net/images/php.gif';
$parseURL = parse_url(trim($img));
	$img_host = trim($parseURL[host] ? $parseURL[host] : array_shift(explode('/', $parseURL[path], 2)));
	$img = ( in_array($img_host, array('imageshack','photobucket')) ) ? $img : 'Broken image.' ;
?>

i just knocked that up and didn't test it so im sure im wrong lol but roughly it's if the hostname isn't imageshack or photobucket it will return with 'Broken image.' You could infact add more onto it checking the actual file type and image size...

[Haunted Dawg]

I do have to say, my fix was not the correct way. However, i am pulling this script from the engine of DeadlyKillah, it work's, even seanybob has tried as i have let him try and we have managed to get it fixed, and i also have to say, thank's to seany for the help on finding the exploit and directing me to a fix, anyway's. This should work. Im only providing the script, nothing more.

 

if(!preg_match('~http://([\w-]+\.)+[\w-]+(/[\w- ./]*)+\.(?:gif|jpg|jpeg|png|bmp)~i', $picString))	{
	echo 'Invalid Image!';
	$h->endpage();
	exit;
}

 

Work it out your self's, and yes, it actualy does work.

[Zero-Affect]

would http://www.gamename.com/logout.php?x=.gif work... i think if im reading that correctly it would...

[Dayo]

you can also use a htaccsess rewrite to make .php .gif

[Zero-Affect]

so fail i guess Kyle, the solution i posted anyone checked out?

[Dayo]

i will post the solution i use to secure the IMG bbcode tags when it is finaly finished, just found a few bugs with it :s

[chaoswar4u]

Dayo your a star my friend.

 

Ill look forward to you reply with the fix on it.

[Djkanna]

I wonder if this would be any use

http://www.ietf.org/rfc/rfc2396.txt

Specifically section B

[..]"B. Parsing a URI Reference with a Regular Expression

As described in Section 4.3, the generic URI syntax is not sufficient

to disambiguate the components of some forms of URI. Since the

"greedy algorithm" described in that section is identical to the

disambiguation method used by POSIX regular expressions, it is

natural and commonplace to use a regular expression for parsing the

potential four components and fragment identifier of a URI reference.

The following line is the regular expression for breaking-down a URI

reference into its components.

     ^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?

12 3 4 5 6 7 8 9

The numbers in the second line above are only to assist readability;

they indicate the reference points for each subexpression (i.e., each

paired parenthesis). We refer to the value matched for subexpression

<n> as $<n>. For example, matching the above expression to" [..]

(edit)

Quick Research:

(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*\.(?:jpg|gif|png))(?:\?([^#]*))?(?:#(.*))?

^https?://(?:[a-z\-]+\.)+[a-z]{2,6}(?:/[^/#?]+)+\.(?:jpg|gif|png)$

Source*

[Dayo]

i use something like this

not sure if this is right (using my iphone to copy/paste and post)

        $bbcode = array(					
                                               0 => '/\[img\](.+?)\[\/img\]/e'); // run it with the e modifier (eval)

       $html = array(

                                               0 => '"<img src=\'".$this->secureimg($1)."\' alt=\'User submitted image\' title=\'User submitted image\' />"');

       ksort($bbcode);
       ksort($html);

       $post_bbcode_treated = preg_replace($bbcode, $html, $code);

you will need to make a function secureimage() but you could use something like

function secureimg($img) {
$img2=getimagesize($img);
if (@is_array($img2)) {
echo $img;
return $img;
} else {
echo $img;
return 'images/broken.gif';
}
}

BTW - this is untested and could be wrong im using my ftp on the go app to copy code and remove some code

[chaoswar4u]

Unless im doing it wrong Dayo it does not work.

[Dayo]

probly when i get home i will fix it what is our error?

[chaoswar4u]

To me it does not check nothing.

 

It executes the same as normal including none images.

[chaoswar4u]

Gee we are all screwed nothing works. Not telling me this issue has not been resolved anywhere.

 

TC seems to have it patched.

 

They seem to have it where if its an image it works as normal bit if you enter a .php it kill the bb tag and loads just the text.

 

Any help to anyone to resolve this?

[CrazyT]

I saw this post yesterday, and was just laughing at some of you saying can't be done.

Yes it can because i had ago, and i have done it my self, and yes it works fine ;)

So what should i do, give all of you people a challenge to try and figure it out your self or should i post?

Here is a working version: http://86.185.88.98/Tests/Image%20Fix/

By the way this is my local server (localhost), so if it says Page Cannot Be Found, then i put localhost offline.

Yes this can be XSS'ed because i haven't done htmlspecialchars(), on this because on your normal mccode parser it does that it's self.

So no need for me to add it on here because you will most probably add it into your bbcode function/class.

Now I'm going to wait for some of you to reply.

:)

[CJ - Twitch]

It works but how. xD

[Dayo]

i have just posted this in the PHP section today go and check it out :D