|
|
Welcome to the Invelos forums. Please read the forum
rules before posting.
Read access to our public forums is open to everyone. To post messages, a free
registration is required.
If you have an Invelos account, sign in to post.
|
|
|
|
Invelos Forums->DVD Profiler: Desktop Technical Support |
Page:
1 Previous Next
|
DP Tags in HTML section lack encoding |
|
|
|
Author |
Message |
Registered: March 14, 2007 | Reputation: | Posts: 1,029 |
| Posted: December 11, 2008 11:03 AM | | | | I think I mentioned that a few times in the past, but since I recently had to deal with something similar in the form of an exploit, I think it is worth mentioning again:
When using DP tags in HTML sections, the data that replaces the DP tag in the generated skin is not HTML encoded, which can lead to bogus display in some cases.
It also means that you can use almost any data field to inject a script into the skin, although the larger ones, like Overview or Easter Eggs, are more suitable. This applies to all skins, including the Default Preview skin.
If I have used DP tags in my skins, I usually dealt with encoding problems by putting the DP tags into <TEXTAREA> blocks. But that's only fine for fixing encoding problems; it doesn't help against script injection.
For HEADER_VARS, encoding is not a problem as the skin has to deal programatically with the variables anyway. Script injection is still possible, though.
If you enter the following text in, for example, your overview:
<script>/* --> </textarea>*/</script><script> alert('gotcha');</script>
the script will always be executed, regardless whether the skin uses the simple <DP NAME="OVERVIEW"> tag, the same tag enclosed in a <TEXTAREA>, or the HEADER_VARS.
Before you start to panic:
I don't think malicious script injection is a real issue, I merely used it to illustrate my point about the lack of encoding.
The screeners and the voters will probably notice if someone submits script code for a data field. Then again, at least a filter for the Online DB to detect such stuff wouldn't hurt either. | | | Matthias |
| Registered: March 18, 2007 | Reputation: | Posts: 6,465 |
| Posted: December 11, 2008 12:12 PM | | | | I think this is an outstanding post, and I totally agree. I plan to put code into BulkEdit to disallow <script> tags in any non-personal text fields. This of course doesn't stop anybody from doing it manually, but at least I'll do my part to prevent a mass insertion.
Hmmm, I'm thinking I might also add an alarm if a <script> tag is detected during edit. Maybe that would be a good thing inside the PCP plugin or inside Database Query also???? | | | Thanks for your support. Free Plugins available here. Advanced plugins available here. Hey, new product!!! BDPFrog. | | | Last edited: December 11, 2008 12:17 PM by mediadogg |
| Registered: May 19, 2007 | Reputation: | Posts: 6,730 |
| Posted: December 11, 2008 12:34 PM | | | | Quoting mediadogg: Quote: Hmmm, I'm thinking I might also add an alarm if a <script> tag is detected during edit. Maybe that would be a good thing inside the PCP plugin or inside Database Query also???? Yes please! But the main task is for Ken to close this. Even though Matthias thinks that there's no need to panic (and I agree there), history shows that any security vulnerability gets abused sooner or later. Thanks Matthias | | | It all seems so stupid, it makes me want to give up! But why should I give up, when it all seems so stupid?
Registrant since 05/22/2003 |
| Registered: March 13, 2007 | Reputation: | Posts: 3,321 |
| Posted: December 11, 2008 5:31 PM | | | | Quoting mediadogg: Quote: Maybe that would be a good thing inside the PCP plugin or inside Database Query also???? I don't use DP tags or header variables in Database Query. But you could certainly use it to search for code in those fields already. | | | Get the CSVExport and Database Query plug-ins here. Create fake parent profiles to organize your collection. |
| Registered: March 13, 2007 | Posts: 2,759 |
| Posted: December 11, 2008 5:40 PM | | | | Quoting mediadogg: Quote: I think this is an outstanding post, and I totally agree. I plan to put code into BulkEdit to disallow <script> tags in any non-personal text fields. This of course doesn't stop anybody from doing it manually, but at least I'll do my part to prevent a mass insertion.
Hmmm, I'm thinking I might also add an alarm if a <script> tag is detected during edit. Maybe that would be a good thing inside the PCP plugin or inside Database Query also???? As long as the data is kept local only and is not contributed, I see no problem with script code in data fields. I can see useful applications of script code in your local database in many fields (e.g. someone could use the overview field for active content). I don't think that BulkEdit should prevent such code. The correct point for blocking active code in data fields would be the contribution system. |
| Registered: March 18, 2007 | Reputation: | Posts: 6,465 |
| Posted: December 11, 2008 8:29 PM | | | | Quoting RHo: Quote: I don't think that BulkEdit should prevent such code. The correct point for blocking active code in data fields would be the contribution system. I see your point. I'll think about it for awhile - maybe we'll get a response from Ken by then. I agree that the contribution system should have the trap. I just feel somewhat responsible to try and prevent my plugin from being a tool that could easily be abused. Edit: Followed by yet another good point. Damn, you're good! | | | Thanks for your support. Free Plugins available here. Advanced plugins available here. Hey, new product!!! BDPFrog. | | | Last edited: December 12, 2008 9:53 AM by mediadogg |
| Registered: March 13, 2007 | Posts: 2,759 |
| Posted: December 12, 2008 7:53 AM | | | | Quoting mediadogg: Quote: I just feel somewhat responsible to try and prevent my plugin from being a tool that could easily be abused. Every tool can be abused. But as long as the same data could have been entered manually into a profile, there is no reason why you should not be able to enter the same data with any other tool. | | | Last edited: December 12, 2008 7:55 AM by RHo |
| Registered: March 10, 2007 | Posts: 4,282 |
| Posted: December 12, 2008 1:15 PM | | | | During contribution evaluation, any HTML code like this should show as plain text and not execute. If you find a way to bypass that, please let me know. Suspicous contents are also flagged and highlighted for the Invelos evaluators.
Thusfar we haven't seen many instances of this, and those that we have seen appear to be intended for local use. Bear in mind that any script in the skin is unable to do malicious things like access system resources since the browser runs as untrusted. However, if we do run into someone intentionally inserting script that shouldn't be there, it will be a one-way ticket to permanent contribution ban. | | | Invelos Software, Inc. Representative |
| Registered: March 14, 2007 | Reputation: | Posts: 1,029 |
| Posted: December 12, 2008 2:13 PM | | | | Quoting Ken Cole: Quote: During contribution evaluation, any HTML code like this should show as plain text... Which was kinda my point. The simple DP tags should work the same way and create HTML-encoded text. Not only because of the script stuff, but because you can end up with bogus display, if the data field contains special characters like "<", ">" or "&". The only exceptions to HTML-encoding should be: - the Overview, where the bold/italic tags should pass through unencoded, if formatting is enabled. - the Notes, but only if use HTML for Notes is enabled. | | | Matthias |
| Registered: March 10, 2007 | Posts: 4,282 |
| Posted: December 12, 2008 2:15 PM | | | | We do not plan to encode the DP tags locally - if a user chooses to enter that type of data locally, they are free to do so. | | | Invelos Software, Inc. Representative |
|
|
Invelos Forums->DVD Profiler: Desktop Technical Support |
Page:
1 Previous Next
|
|
|
|
|
|
|
|
|