boardom

[michel v]

Allowing visitors to use HTML in their comments can have nasty side-effects, such as javascript code being executed through onMouseOver events, iframes being loaded, tags being positionned with style/id attributes (this was fixed a while ago), etc.


So here's a fix that prevents such attacks:

Open b2functions.php, and look for these lines:
[php:1:27ed9f8a87]function balanceTags($text, $is_comment = 0) {
global $use_balanceTags;
if ($use_balanceTags == 0) {
return($text);
}[/php:1:27ed9f8a87]

Copy the following code, and put it right after the previous lines:
[php:1:27ed9f8a87] if ($is_comment) {
// sanitise HTML attributes, remove frame/applet tags
$text = preg_replace('#( on[a-z]{1,}|style|class|id)="(.*?)"#i', '', $text);
$text = preg_replace('#( on[a-z]{1,}|style|class|id)=\'(.*?)\'#i', '', $text);
$text = preg_replace('#([a-z]{1,})="(( |\t)*?)(javascript|vbscript|about):(.*?)"#i', '$1=""', $text);
$text = preg_replace('#([a-z]{1,})=\'(( |\t)*?)(javascript|vbscript|about):(.*?)\'#i', '$1=""', $text);
$text = preg_replace('#\<(\/{0,1})([a-z]{0,2})(frame|applet)(.*?)\>#i', '', $text);
}[/php:1:27ed9f8a87]

This fix will be committed to the CVS and in later releases.


What this fix does:
It removes all style/id/class/on* attributes (on* matches all known javascript-inducing attributes), removes URLs starting with javascript/vbscript/about, and finally removes all *frame* and applet tags.

If you know about other possible attacks via HTML in comments, please email/PM me and other b2-based products developers (WordPress, b2evolution, b2++, etc).

[Candle]

Thanks michel for the heads up on that .
_________________
My Game Forum

[Mister44]

[GamerZ]

y not just use striptags in comments and use bbcode instead?
_________________

++ GamerZ.Per.Sg - Complex Simplicity

[fplanque]

Michel,

Have you actually tested this patch in the place it is?

My main concern is that the comment text is escaped with addslashes() before it gets any chance to have attributes filtered out. So, as far I have tested it, it just won't filter out any evil javascript attribute...

I have addressed this and a few lower level issues here:

http://b2evolution.net/forums/viewtopic.php?p=164#164
_________________
-François
Check out : a blogtool for bloggers who want more!

[sakichan]

I'll go to the full disclosure mode because b2evolution 0.8.2rc2 is made public.

Michel's fix is not complete, because web browsers accept HTML attributes with a unquoted value, and because such attributes are not checked with that fix.

That problem is fixed in b2evolution 0.8.2rc2 and newer versions, at least when XHTML validating checker is used (that is default in 0.8.2rc2, but Fplanque does not decide yet whether it is default for newer versions). He also adopted this checker not only for comments but also for blog posts, becuase malicious guest bloggers may try to escalate their rights exploiting this vulnerability.

b2evolution 0.8.2rc2 (or newer versions) can be downloaded from
http://b2evolution.net/downloads/index.html
_________________
Nobuo Sakiyama