would someone please be kind to explain why allowing the use of html in things such as a guestbook.. or whatever.. a security risk?

I kinda get bummed out when I cannot use html in some things. BUT ... I don't understand HOW this is a security risk? *concerned*

hmmm I'm going to give this a shot with NOTHING technical but just talking in easy to understand logic.... I'll leave those that feel up getting techy for that side of it if they like http://www.aota.net/ubb/smile.gif

Consider the fact that you are running a script... and think about the permissions this script has...if it's allowed to write to a file on the server... then the potential is there to allow whatever the visitor types in to be written... trust me there are some malicious things a visitor can think of to put in these lil text boxes http://www.aota.net/ubb/wink.gif

Even with simple things that aren't so much a security problem but annoying none the less... I can't tell you how many guestbooks I've come accross that are allowing the HTML where I find that someone put a META REFRESH tag in their message causing the entire page to reload every 1 sec.. making the book virtually impossible to post to or read...

Another example is shown with matts wwwboard... if someone forgets to close a tag... (H1 for example) then every message under that one are left with that tag... leaving the text huge or purple or whatever and making the forum 'messy'. Or if too many people are leaving images in a guestbook or a message forum the page can become impossible to load up.... Some are known to leave an image that is over a meg in size just to cause a problem....

The above does not touch security but are enough to make someone think twice before allowing HTML. Now when you are running the scripts via SHTML the risks become that much higher... and some serious hacks can occur. Unless you know you have closed the holes I would not allow HTML code to be posted to SHTML pages....

How many times have you seen them post code in these forums alone that make your head spin? Now imagine if that code was malicious and allowed to be written to your account -- ouch....

The most common problem we find is people installing CGI scripts that allow you to define commands within the url ... http://www.didnotthink.com/cgi-bin/whatever?command=this
Leaving the script open enough for the visitor to change the "this" to any number of things including making the script email them a password file or something of that nature. Remember that your scripts are running as YOU the owner.. so anything you are allowed to do with your site.. they are allowed to do unless you are positive you have put all the locks in place.

When I think about it -- tis almost scary (pathetic?) how many of us will grab a script off of the net from an unknown source and install it w/o any real knowledge of what it does http://www.aota.net/ubb/frown.gif At the same time -- I find it totally awesome how many of us can grab a great script freely from an unknown source and it works just like it should http://www.aota.net/ubb/smile.gif

Deb

When I think about it -- tis almost scary (pathetic?) how many of us will grab a script off of the net from an unknown source and install it w/o any real knowledge of what it does I once installed a script of about 15-20K, only after completing it, did I look at the source file and I saw that it had a nice little subroutine that emailed the script owner everytime someone ran the initial setup screen. The fact that I installed it without really knowing the extra things it does shocked me, and scared me.

For all I know, it could have given the command to delete everything...

Anyway, I'm on CIHOST.COM, does anyone know if they are a reseller or if they actually own the servers they are selling space on?

And how is FutureQuest's performance? And are they also resellers? I see that this seems to be a closely knit community with fast response times from FQ folks (the owners?). This kind of hosting deal may be what I need, I hate calling CIHOST' support because as I suspect, the support technician says I'm hosted through host4u.net. And according to him, host4u.net is a reseller, then what does CIHOST become? A reseller for a reseller?

Khayu

I agree it is important to try and read over the scripts before installing them... even without much knowledge of the language, if you know what it is supposed to do, you can pretty much guess at which sections accomplish it... if there is a section that just doesn't seem to fit into the scheme of things --- question it! --

As far as CIhost it's not really my place to say either way about them.... you may want to ask questions at host directories, in regards to other hosts, as these places are more appropriate. Some places you may want to check out would be:
http://www.hostinvestigator.com , http://www.hostsearch.com , http://www.ispcheck.com , and http://www.webhostdir.com .

FutureQuest is not a reseller as noted in our FAQ at http://www.FutureQuest.net/FAQ.php . Sometimes I think it would be easier if we were... then we wouldn't be responsible for the hardware <grin> but at the same time we would be stuck with whatever 'canned solutions' whomever we resold for provided and not be able to expand on our own.

Yes Andrew (aka Terra) and myself are the owners http://www.aota.net/ubb/wink.gif The community here is top notch!! The site owners that particapate on these forums are awesome!!! We try to encourage the group to learn new things and get out of the 'canned scripts' so that they can create things with the results they need specifically for their own sites. So far, from what I've watched on these forums, it's working http://www.aota.net/ubb/smile.gif We've all managed to help each other out in various areas and improve all the way around.

I hope this helps answer some of your questions

Deb

I see that this seems to be a closely knit community

WRONG

we are more like family here. http://www.aota.net/ubb/biggrin.gif

Imagine this:

<!--#include virtual="/robots.txt" -->

That would give paths and filenames to stuff you don't want people to see...

<!--#exec blah...

You could execute commands. This is only if SSI's are allowed on your guestbook page, which a lot are. Even worse, if it's a php page, imagine this:

<? unlink(index.html) ?>

Oops - just deleted your home page...

And most people use shtml for their guestbook, etc, if they use it elsewhere on their site, too keep the common look.

Even the UBB isn't perfect (unless you modify it).
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]see? All the spaces? hehe - it doesn't filter out &'s. SO you can type &amp;nbsp; and get a non breaking space...

Oh, and of course, imagine this in your guestbook:

http://some.porno.site/nude_pics/really_huge_nasty_picture.jpg

http://www.aota.net/ubb/smile.gif

<edit>Oops - I put nbps instead of nbsp - hehe</edit>

------------------
Justin Nelson, SFE Inc.
www.vdj.net (http://www.vdj.net)

[This message has been edited by Justin (edited 02-25-99).]

Since we're on the subject of filtering HTML from user's form inputs, maybe one or two people could discuss how they go about it.

Here's what I do on my UBB (mine's a customized version of the freeware), and I got this from the Perl Cookbook. Say I have a string $Text that I've just plucked from the user's submitted message form. The following piece of code will strip out all the HTML tags but leave in innocuous things (like equations of the form a << b) involving the < and > symbols.

use HTML::Parse;
use HTML::FormatText;

$Text = HTML::FormatText->new->format(parse_html($Text));


Now, this is much better than the method used in my freeware version, which was something like "delete everything between a < symbol and its matching >". However, there's a couple of odd things which happen using HTML::FormatText. One is that the string you get back has extra whitespace characters (even newlines) in odd places. Another is that on the FQ server (mine at least) the last word in $Text gets eaten (so I add one to the string before sending it through FormatText). I can also easily correct for the spurious addition of whitespace by doing this:

@words = split(/\s+/,$Text);
$Text = join(' ', @words); # glue with single space


This should do it, but for some reason I don't understand, trailing whitespace seems to leak through so I do this for a final clean up:

$Text =~ s/^[\s]+//; # remove any leading whitespace

$Text =~ s/([\s]+)$//; # remove any trailing whitespace

All in all, for the added security it affords you, doing something like this is well worth the effort. And it's pretty straightforward.

On the other hand, I noticed today (after testing in response to Justin's post) that FormatText doesn't seem to remove expressions of the form: <? command ?>. Although I know zilch about php, this would seem to indicate that I should be thinking about updating to a better HTML parser. Also, I seem to remember reading somewhere that HTML::Parse IS getting old.

So, are there better ways of parsing that others can elaborate on?

Try this:

$Text =~ s/\&/\&amp;amp;/isg;
$Text =~ s/\</\&amp;lt;/isg;
$Text =~ s/\>/&amp;gt;/isg;

That turns all <'s and >'s into the HTML character codes for them, as well as the ampersands. This will prevent any HTML from entering the post - the browser renders it just as it was typed (not so easy here http://www.aota.net/ubb/smile.gif)

You can check out mine - I did this there. Just make sure you strip ampersands BEFORE doing the other code. I put it in the UBBCode sub, before it applies the UBB code conversion.

http://www.vdj.net/ubb/Forum1/HTML/000003.html

That's where I did all my test posts when I did the mods.


------------------
Justin Nelson, SFE Inc.
http://www.vdj.net

Hi,

why do you strip ampersands?
I love to use nbsp to indent my name in the signature with 2 spaces.
Is there any problem with & in HTML I don't know? Any security leak?

Greetings from Bonn, Germany
[nbsp][nbsp]Meikel Weber
www.meikel.com (http://www.meikel.com)

It makes it easier to offer code samples and stuff if you convert them. Besides, on my UBB you can use all the spaces in a row you want. It converts any occurance (sp?) of more than one space into nbsp's. Everything comes out exactly as you type it.

Except for http://www.aota.net/ubb/smile.gif's. I also have the copyright symbol. If you type (c) it comes out &copy;.


------------------
Justin Nelson, SFE Inc.
http://www.vdj.net

Well... let's test .... there was a UBB version running here a short time that did not accept multiple spaces.
That's why I'm using nbsps.

Greetings from someone testing around
Meikel Weber

Just see my reply above. There were many many spaces in it and between the words.
Nothing came over, so I have to use nbsp

Greetings
[nbsp][nbsp]Meikel

Meikel,

I was refering to my UBB, not this one. It's a hack I added to mine (free version).

http://www.aota.net/ubb/smile.gif


------------------
Justin Nelson, SFE Inc.
http://www.vdj.net

C I Host has terrible, terrible networking and service!![nbsp][nbsp]But they'll keep taking over the industry with their &quot;500 MB&quot; or &quot;1 GB&quot; web space specials (for newbie weenies impressed by that sort of thing) and low prices.

Their big weapon is bombarding every web hosting directory with an incredible amount of advertising.[nbsp][nbsp]I see they're already on the new ones, even Big Hosts ( http://www.bighosts.com ).

Heh.[nbsp][nbsp]I just took a look at bighosts.com, clicked on the first article, http://www.bighosts.com/big-big-big/articles/2000/8/ where it says &quot;Windows 2000 is considered the fastest OS&quot;.[nbsp][nbsp]Didn't need to stay at that site much longer after reading that. :P

Technically, the site is correct.[nbsp][nbsp]NT was shown to be twice as fast as Linux by PC Magazine's independent labs.[nbsp][nbsp]I get the impression &quot;Big Hosts&quot; knows what they are talking about.