Missed case in externalinput.php resulting in viable XSS attacks – fix available

About 3 weeks ago I got contacted by Will Drewry from the oCERT Team about a possible XSS attack vector in the popoon externalinput class, which was discovered by Alexios Fakos. It used a (again stupid) behaviour by browsers which treat a “/” like a space, so something like <body/onload=alert(/hello/)> was not cleaned up… The actual fix was quite easy and a no-brainer. But as I always said that externalinput.php alone should not be used as your own line of defense, I went for a more thorough solution.

Many issues with cleaning XSS attacks comes from the fact, that browsers accept a lot of really f***ed up markup like the example above and therefore before actually trying to clean unwanted stuff away one should make a well formed HTML out of the input. Tidy does that job pretty well, the loadHTML method of PHP’s DomDocument class also produces well-formed XHTML as output. That’s what I always told people to do and that’s what we do since always in Flux CMS. That’s why Flux CMS is not affected by this exploit at all – some of the advantages of XML based CMS systems.

To more enforce that approach, I wrote a new class called lx_externalinput_clean, which uses the same regexes but does by default filter first the input with tidy, and if that’s not available with DomDocument->loadHTML and if even that is not available, it does a striptags(), just to be sure. This can be overridden, so that if you do that cleaning already before, you don’t have to do that again. I hope this helps people just blindly copying code :)

Having said that, the class still tries to clean many nasty things without first having to tidy up the HTML to get proper markup (and the above attack is also handled without tidy et al.). But there are most certainly more attacks possible which come from WTF-a-browser-does-parse-that? markup and using those tools should get rid of them for once and all. You have been warned, if you don’t use them.

Thanks a lot to the oCERT team to give me this much time ahead to fix it and to inform a lot of other projects in advance which are apparently using my code.

The full advisory can be found at http://www.ocert.org/advisories/ocert-2008-012.html

Tags: , , , ,

Popoon Success Story

From the popoon-dev mailinglist:

I’m excited because we just switched over our whole site to popoon; once we get these changes resolved we’ll be back in business without Tomcat (which makes our IT department very happy).



Making PDFs with XSLTAL and FOP

Jeremias Märki sent me some example files for doing PDFs with the help of XSL:FO, Apache FOP (besides some patches to the tal2xslt.xsl template) and XSLTAL. This shows, that XSLTAL is not only useful for doing HTML pages, but for also making PDFs. If you look at the tal template he made, you can see, that this is a fully XSL:FO valid document. You can even transform that with FOP and of course edit it with your preferred XSL:FO editor. But if you throw XSLTAL and this ticket.xml in between, you get nice little tickets with your content. Cool stuff and thanks a lot.

See our Subversion repo at http://svn.bitflux.ch/repos/public/misc/xsltal-fo/ for all the files and a tar archive for all of them.

Tags: , ,

XSLTAL additions

At ApacheCon, someone asked me, if one could output “escaped” html text with XSLTAL. Like with disable-output-escaping=”yes” in standard XSLT. It was actually not possible, but it is now. Just use “text-escaped” instead of “text” in your TALES and it will add the needed attribute. The update tal2xslt.xsl can be found here.

Furthermore during the presentation I couldn’t answer , if XSLTAL can handle namespaces. I just didn’t test that, but I didn’t see a problem with it. And indeed, as long as you define the namespace in the XSLTAL template and the content-document, it works fine. At least with libxslt, other xslt-processor may behave differently, as I’m not sure about the specs what usually should happen with unused namespace-definitions in input documents (as the namespace is not really used in the XSLTAL template, they are just in the TALES instructions).

Tags: , ,

“XSLTAL – Instant XSLT for everyone” – Slides online

My talk about XSLTAL is over. The slides are now also available.

Betrand did a very nice introduction to my talk and Jeremias taught the audience how to say “chregu” :)

The talk itself was hopefully interesting and XSLTAL will be useful for some or it was at least an inspiration to some common problems. The feedback I got was certainly positive and it seems that a lot of XSLT-people have the problem, that it’s not that easy for non-programmers. Bertrand did some notes during my talk and put them on his blog, they are a good addition to the slide. More information about XSLTAL is also on our wiki.

Bertrand announced also the immediate availability of XSLTAL in Cocoon 2.1.x. Cool, even more people can now use XSLTAL very easily.

Would be great, if XSLTAL is useful for some people and will be used in other real-life projects. Feedback and additions are of course always welcome and I’m really looking forward to see what comes out of the Cocoon community and working with them on that little project.

Tags: , ,

XSLTAL gets Cocoon support

Just talked with Bertrand, he will be trying to implement XSLTAL in cocoon until tomorrow when my talk is. Cool. And I’m currently working on some more decent examples than I had before. The forrest people also mentioned, that they will show up at my talk. Could get interesting and I’m looking forward to it. Slides will be available after my talk

Tags: , , ,

gzip compression and more on ‘blog clog’

I integrated now gzip compression to Popoon and therefore all our
Blogs and CMS installation, which use the caching module of Popoon.
This should approx. half the bandwidth needed by for example Planet PHP.
Even if Planet PHP isn’t using that much bandwidth currently,  if it
continues to grow at the same rate, we better implement all those
bandwidth saving features already now. Next thing would be the RFC3229 + “feed” method, but that won’t happen very soon ;) And for those wondering, Planet PHP peaks currently at 3100 visitors per day.

This brings me of course to my favorite subject lately: RSS
scalability and why RSS – as we know it – is flawed … Bob Wyman of PubSub.com wrote an interesting article about that topic
(some months ago…). IMHO, if there’s not soon a widespread supported
new way of *pushing* RSS feeds, instead of constantly pulling them,
some of the big content providers will cut-down their RSS feed in such
a way, that it’s of limited use. Today a very little percentage of
Web-users is using RSS, but some big sites are already fighting the
problems associated with it. Imagine, if RSS-polling becomes as widely
used as email or IM or whatnot…


Added METAL support to (XSL)TAL

is the ZPT/TAL way of replacing parts of your template with parts from
other templates, for example for footers and headers. I implemented
basic support for that in our tal2xslt template. metal:fill-slot and metal:define-slot are still missing, but should be doable.

See the Wiki for a  simple example


Further improvements on (XSL)TAL

Today I worked again a little bit on (XSL)TAL, a replacement of XSLT
for simple needs (maybe also for powerfull stuff, never really used TAL
for something more that a simple website). I updated the Wiki Page, added some examples using the one Bertrand used in his proposal for an attribute based template language and last but not least, I wrote a mail about that
to the cocoon-dev mailinglist. Let’s see, what they think about it ;)
But I have the impression, they don’t like TAL for some reasons. They
do like the Attribute Based approach, just not TAL itself. Not Invented
Here syndrom? Or is it really not as simple as it could be? /me can’t
judge at the moment.

I also added two new attributes. tal:match adds a simple replacement mechanism like xsl:template matchers within TAL and with tal:include
you can include external XSLT stylesheets for greater flexibilty (eg.
defining xsl:templates in a central place or writing more complex
stuff). See the wiki page mentioned above for a little bit more info.


Alternative template languages for Popoon/Cocoon

There are different  discussions going on since quote some time
on the cocoon-dev mailinglist about a “Attribute Based Templates” or
simpler templating engines in general.

Betrand Delacretaz now set up a wiki page
about one proposal by Conal Tuohy. The thread to this can be found here.

It’s a similar approach like we took with our TAL implementation in Popoon, mainly just another syntax.

If I find some time, I’ll take a closer look into that proposal and
see, if we can join efforts and come up with something really good and
useful for all of us.