[Kses-general] Protocol removal

[Ulf Harnhammar <metaur@op...>]

> Actually, the "proto9" test is legit since it's too long and fails
> maxlen.  What I was concerned about was the javascript test which
> removed all the "javascript:" protocols, but still left the reulting
> Alert code.

Oh, that. Yes, I know. It removes offending protocols, and then you're left with the other stuff after the protocol.

Do you or anyone on kses-general (come on, don't be shy, I can see that there are some subscribers there) have any other ideas? What should kses convert <a href="javascript:alert('evil!')"> to, if javascript is not an allowed protocol?

I managed to get the 0.2.1 release announcement on Bugtraq, BTW:  http://lists.insecure.org/lists/bugtraq/2003/Sep/0514.html

// Ulf Harnhammar

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze

[Kses-general] kses 0.2.1 out now

[Ulf Harnhammar <metaur@op...>]

kses 0.2.1 is out now! Here's an excerpt from the ChangeLog:

- There is now an additional version of kses, using the object-oriented
  paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone
  who wants to make functional programming, logical programming or spaghetti
  programming versions of kses as well (or any other programming paradigm that
  you like), go ahead! All the people who like old procedural programming for
  web applications shouldn't despair, though, as both versions will be
  maintained with each release.

- kses now has some new attribute value checks: minlen, minval and valueless.
  See docs/attribute-value-checks for an explanation.

- For some reason, the Opera developers decided to make chr(173) a whitespace
  character in URL protocols, both when it occurs raw and in an entity. kses
  now handles this.

- The URL protocol whitelisting system now decodes entities before removing
  NULLs and whitespaces.

The 0.2.1 release is dedicated to Mischa the cat, BTW.

// Ulf Harnhammar

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze

[Kses-general] kses 0.2.1 out now

[Ulf <Ulf.Harnhammar.9485@st...>]

kses 0.2.1 is out now! Here's an excerpt from the ChangeLog:

- There is now an additional version of kses, using the object-oriented
  paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone
  who wants to make functional programming, logical programming or spaghetti
  programming versions of kses as well (or any other programming paradigm that
  you like), go ahead! All the people who like old procedural programming for
  web applications shouldn't despair, though, as both versions will be
  maintained with each release.

- kses now has some new attribute value checks: minlen, minval and valueless.
  See docs/attribute-value-checks for an explanation.

- For some reason, the Opera developers decided to make chr(173) a whitespace
  character in URL protocols, both when it occurs raw and in an entity. kses
  now handles this.

- The URL protocol whitelisting system now decodes entities before removing
  NULLs and whitespaces.

The 0.2.1 release is dedicated to Mischa the cat, BTW.

-- 
Ulf Härnhammar, student, Uppsala Universitet
"Did you ever fall in love? / For a quarter of an hour or above?"
-- Ladytron, "Another Breakfast with You"
"Silence means security / Silence means approval"
-- R.E.M., "Begin the Begin"

Re: [Kses-general] form filtering

[Ulf Harnhammar <metaur@op...>]

> Thank you for giving me some entertaining highlights of both programs 
> ;-)

We're academics, which means it's called Peer Review and not Badmouthing..

// Ulf

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze

Re: [Kses-general] form filtering

[Ulf Harnhammar <metaur@op...>]

Hello guys!

> > phpfilter also doesn't have any attribute value checks
> Err... Hold on. What do you mean by this?

Apart from filtering what elements and attributes to use, kses also checks the values of attributes. It can currently check their length (to avoid Buffer Overflows in WWW clients and various Internet servers) or their integer values (to avoid Denial of Service attacks against WWW clients), but more things are planned.

> > or URL whitelisting. 
> Or by this?

After seeing problems with different URL protocols like javascript:, about:, mocha: and so on, I decided that attribute values that are URLs should only be allowed to use the protocols given in a whitelist. You can configure it so that only http: and https: are allowed protocols in URLs, and then all the mocha: and similar stuff will be removed. It was a little hard to write because browsers accept entities (even bignum entities over 2**32), whitespace and so on in those protocols.

> > Its code is also harder to understand than the code of kses, 
> > at least if you know regular expressions.
> That's a subjective judgement. :)

Yeah, you're right.

> Most testing is actually done online. I have a set of very dedicated
> rabid testers that are set on causing me herpes every now and again by
> coming up with some totally bizarre exploits. The only one I'm aware of
> at the moment and that only works in Opera is:
> 
> <p style="background-image: url('j\61vascri\70t:alert()')">
> 
> Fixing this one is tricky as Opera and Explorer handle backslash-escaped
> sequences differently.

Huh, weird! I'd say that the best way to fix these things is either to disallow all style elements and attributes, or try to write a whitelisting stylesheet function. I don't know stylesheets very well, so I don't know how hard that would be. Stylesheets seem to be another place where lots of strange XSS problems pop up, so if one wants to allow them, there should probably be a whitelisting approach to that as well.

> Me? Nevah. :) But if you have an online test version, I'd be glad to sic
> some of the rabid testers that besiege me on it.

I'm going to add one soon, so I'll mail you about it then. I would love to have some of those testers come up with evil things to try against kses.

// Ulf Harnhammar (kses guy)

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze

Re: [Kses-general] form filtering

[Denis <bredelet@ma...>]

Hello guys,

Thank you for giving me some entertaining highlights of both programs 
;-)

I will try out kses and see if it fits well my needs, I expect the 
configuration to be quite easy since it does only whitelisting.

It shouldn't be too hard to develop an online form like phpfilter's :-)

Cheers to all,
-- Denis.

On 15 Sep 2003, at 20:00, Konstantin Riabitsev wrote:

> On Mon, 2003-09-15 at 14:26, Ulf Harnhammar wrote:
>> Some negative points in phpfilter is that it's based on a mixture of
>>  whitelisting and blacklisting, which to me is a mistake.
>
> Well, it's not really a mixture. It can do either whitelisting or
> blacklisting on elements, but not at the same time. It only does
>
...snip...
>> (CC-ing Konstantin, so he'll get the chance to talk shit about my 
>> filter
>> as well..)
>
> Me? Nevah. :) But if you have an online test version, I'd be glad to 
> sic
> some of the rabid testers that besiege me on it. PHPFilter was written
> specifically for SquirrelMail, so I was orienting at the set of
> requirements in it firstly. It is possible that yours is more
> strict/generic.
>
> Regards,
> -- 
> Konstantin Riabitsev <icon@...>
> Linux@...
>

Re: [Kses-general] form filtering

[Konstantin Riabitsev <icon@li...>]

On Mon, 2003-09-15 at 14:26, Ulf Harnhammar wrote:
> Some negative points in phpfilter is that it's based on a mixture of
>  whitelisting and blacklisting, which to me is a mistake.

Well, it's not really a mixture. It can do either whitelisting or
blacklisting on elements, but not at the same time. It only does
blacklisting on attributes, but I'm investigating whether it's prudent
to add whitelisting on them as well. The most problem reports I receive
are not on the elements or attributes, but attribute values.

>  It's too easy
>  to forget something that should be blacklisted, and as soon as the
>  browser makers add a new element or attribute that is a security
>  problem, everyone is vulnerable until they update their
>  configurations. With whitelisting this only happens if they change an
>  existing element or attribute to be a security problem, which may not
>  happen as often.

Very true. I've always said that it's impossible to write a successful
lasting black-list, and my current set of rules is a good indication, as
I constantly have to rework it after receiving bug reports. PHPfilter
can easily do whitelisting, too, both on tags and attributes.

> phpfilter also doesn't have any attribute value checks 

Err... Hold on. What do you mean by this?

> or URL whitelisting. 

Or by this?

> Its code is also harder to understand than the code of kses, 
> at least if you know regular expressions.

That's a subjective judgement. :)

> phpfilter probably has been tested more than kses, because it's used in 
> the very popular web mail program Squirrelmail, where it probably has been 
> used to filter all kinds of weird documents.

Most testing is actually done online. I have a set of very dedicated
rabid testers that are set on causing me herpes every now and again by
coming up with some totally bizarre exploits. The only one I'm aware of
at the moment and that only works in Opera is:

<p style="background-image: url('j\61vascri\70t:alert()')">

Fixing this one is tricky as Opera and Explorer handle backslash-escaped
sequences differently.

Limiting attribute length is planned -- it's a relatively new thing.

> (CC-ing Konstantin, so he'll get the chance to talk shit about my filter 
> as well..)

Me? Nevah. :) But if you have an online test version, I'd be glad to sic
some of the rabid testers that besiege me on it. PHPFilter was written
specifically for SquirrelMail, so I was orienting at the set of
requirements in it firstly. It is possible that yours is more
strict/generic.

Regards,
-- 
Konstantin Riabitsev <icon@...>
Linux@...

Re: [Kses-general] form filtering

[Ulf Harnhammar <metaur@op...>]

Hello again!

> dimanche 14 septembre 2003, à 12:47  pm, Ulf Harnhammar a écrit :

(Mon Dieu!)

> Yes the SquirrelMail one, at http://www.mricon.com/html/phpfilter.html

All three stand-alone filters that I've seen (phpfilter, HTML::StripScripts and kses) are serious attempts. Either will filter HTML code well, unlike for example the HTML filter in PHP-Nuke which only does a part of the job.

Some negative points in phpfilter is that it's based on a mixture of whitelisting and blacklisting, which to me is a mistake. It's too easy to forget something that should be blacklisted, and as soon as the browser makers add a new element or attribute that is a security problem, everyone is vulnerable until they update their configurations. With whitelisting this only happens if they change an existing element or attribute to be a security problem, which may not happen as often.

phpfilter also doesn't have any attribute value checks or URL whitelisting. Its code is also harder to understand than the code of kses, at least if you know regular expressions.

phpfilter probably has been tested more than kses, because it's used in the very popular web mail program Squirrelmail, where it probably has been used to filter all kinds of weird documents.

The choice is up to you, really.

(CC-ing Konstantin, so he'll get the chance to talk shit about my filter as well..)

// Ulf Harnhammar (kses guy)
   http://sourceforge.net/projects/kses

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze

Re: [Kses-general] form filtering

[Denis <bredelet@ma...>]

Hi Ulf

dimanche 14 septembre 2003, =E0 12:47  pm, Ulf Harnhammar a =E9crit :

> Hello Denis!
>
>> I would like to display text entered in a form on a HTML page, so I
>> will need to filter it.
>> How does kses compare with phpfilter in this task?
>
> What is phpfilter - the filter from Squirrelmail by Konstantin R., or=20=

> some other filter? Give me an URL.

Yes the SquirrelMail one, at http://www.mricon.com/html/phpfilter.html

It looks quite similar to kses to me.

>
>> What source do you
>> use to know about HTML vulnerabilities?
>
> The mailing lists Bugtraq and Webappsec over at Securityfocus.com tend=20=

> to talk a lot about security problems in web applications. The OWASP=20=

> Guide at http://www.owasp.org/ is also a really good source of=20
> information.
>
> I don't think anyone has put together one list with secure and=20
> insecure HTML elements and attributes yet, but I suppose I will write=20=

> one for some future kses version. (Tell the people that arrange clubs=20=

> in Uppsala to stop doing it so well, with nice live bands, DJs and=20
> cute girls, and then I'll get more time for kses..)

But less time for kisses :-)
Nice depiction of your place.

Cheers,
-- Denis.
>
> // Ulf Harnhammar (kses guy)
>

Re: [Kses-general] form filtering

[Ulf Harnhammar <metaur@op...>]

Hello Denis!

> I would like to display text entered in a form on a HTML page, so I 
> will need to filter it.
> How does kses compare with phpfilter in this task?

What is phpfilter - the filter from Squirrelmail by Konstantin R., or some other filter? Give me an URL.

> What source do you 
> use to know about HTML vulnerabilities?

The mailing lists Bugtraq and Webappsec over at Securityfocus.com tend to talk a lot about security problems in web applications. The OWASP Guide at http://www.owasp.org/ is also a really good source of information.

I don't think anyone has put together one list with secure and insecure HTML elements and attributes yet, but I suppose I will write one for some future kses version. (Tell the people that arrange clubs in Uppsala to stop doing it so well, with nice live bands, DJs and cute girls, and then I'll get more time for kses..)

// Ulf Harnhammar (kses guy)

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze

[Kses-general] form filtering

[Denis <bredelet@ma...>]

Hi,

I would like to display text entered in a form on a HTML page, so I 
will need to filter it.
How does kses compare with phpfilter in this task? What source do you 
use to know about HTML vulnerabilities?

Thanks,
-- Denis.

[Kses-general] Re: kses and colons...

[Ulf Harnhammar <metaur@op...>]

Hello Jamie!

> First of all, thanks very much for your excellent kses php class. It 
> works very fast, and nicely. I became aware of it through lwn.net 
> several weeks ago.

You're welcome! ;) It's nice to have users.

> I've managed to reduce my problem to: tags that contain a colon ":" make 
> that attribute get removed, so that the HTML

Yeah, um, the whitelisting of URL protocols may cause some problems here. Try switching that off by just returning from whatever that function was called, instead of whitelisting any URL protocols.

> It seems that line 230 or so of kses.php (v 0.2) is where the issue lies?
> if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match))
> But the regex is too complex for me to understand... I may be wrong 
> about this...

It says that the string should begin with a quote ("), then have zero or more characters that aren't quotes, then one more quote, and then whitespace (\s) or end of string ($). Thus, I don't think it has anything to do with your problem.

BTW style tags and attributes are a security problem. At least Internet Explorer allows some weird evaluation construct in stylesheets that causes JavaScript code to execute.

I'm sorry that this reply was a little messy, but I'm in a bit of a hurry. Please write again if you have any further problems.

// Ulf Harnhammar (kses guy)

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze