Fork me on GitHub
Current releases are 2.1.3 (9 Sept 2014) and 2.0.18.13 (5 Aug 2014)

Ready for 2.1? Find out if your favorite plugins are compatible. The 2.0 branch will no longer receive updates after Dec 2014.

Major HTMLawed Security Issues

edited December 2011 in Vanilla 2.0 Help
HTMLawed is used by Vanilla to sanitize HTML, however, that is NOT what it is intended for. HTMLawed is only designed to be used to ensure valid HTML. HTMLawed fails to sanitize against a number of major attack vectors, especially in the style attribute, which can be used for click-jacking, phishing, web-page overlays, defacement, and more.

This is mentioned at http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.5

For example, the following snippet can be used to display a div outside the post area:
<div style="width: 100px; height: 100px; position: absolute; bottom: 0; right: 0; background: red; opacity: 0.5; z-index: 10000;">this is a security test</div>
A slight alteration could be used to exploit users via a clickjacking type attack:
<a href="http://attack.example.com"; style="display: block; width: 100000px; height: 10000px; position: absolute; top: 0; left: 0; opacity: 0.0; z-index: 10000;">this is a security test</a>
You can test either of the above non-persistently by copying into a reply and clicking preview.

I strongly recommend returning to something intended for security, such as HTML Purifier. Alternately, it is supposedly possible to write your own filter to sanitize the style attribute yourself. If abandoning HTMLawed is not an option, it might be ideal to lock down all styles except those used for basic text formatting.
Tagged:
x00
«1

Comments

«1
Sign In or Register to comment.