Remeber to always validate user input server-side, especially if you allow HTML in posts. I will use FCKeditor as an example of how false feelings of security might leave an application vulnerable.
I recently discovered a scary vulnerability on a site using FCKeditor. FCKeditor has this feature that lets you drag and drop an image into the edit field. That's neat, but it all the attributes in the image tag is copied. That means that if you drag-and-drop an image with, say the onmouseout attribute set, to the edit window you can easily inject any javascript code you want. I won't publish any example code here, cause that would only help the script kiddies.
FCKeditor generates XHTML snippets that are convinient to just publish on the forum, guestbook or whatever. I guess many people do. The problem is that the generated snippets are not safe.
Now, FCKeditor comes with server-side modules/scripts for various clients. I haven't scrutinized all of those scripts, but as far as I could tell at least many (if not all) of them lacked server-side validation functions. So the problem is not really FCKeditor, but the lack of server-side validation on many sites. FCKeditor just leverages the effort to inject code.
The lesson learned is nothing new, but it needs to be repeated:
Input validation must always be done at server-side. Don't trust the client to do that. It's easy to manipulate the data sent in by using plugins such as Tamper Data for FF. Using FCKeditors drag-and-drop functionality just leverages the problem.
Also, when you validate the HTML code, filter out all tags and attributes but those you trust. Don't build a filter based on filtering OUT tags you think are dangerous, because you will might forget some, and new tags and attributes being potential threats might be introduced in the future.
4/12/07
Subscribe to:
Posts (Atom)