[CentOS] XSS (was Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....)
Michael A. Peters
mpeters at mac.com
Thu Jun 4 03:29:36 UTC 2009
Bob Hoffman wrote:
> Since each install uses the same pages basically, it is easy for a
> to find them all and zero day your forums, xss your whatever, and so on.
> Dang scary to leave JS on at all....even though you basically have too.
Mozilla is beginning to address this issue with Content Security Policy
CSP will require pro-active webmasters who use it and browsers that
enforce the client side enforcement, but it's a step in the right direction.
I wrote a php class that partially implements CSP server side as an
It's DOMDocument based and thus requires the php xml stuff, I've only
tested it under php 5.2.9 but it should work in 5.x.
The class does have some limitations, namely the document must be fully
constructed and sent through the class before any of it is sent to the
browser so web apps that do a lot of echo() and print() have to be
re-written to not send anything until the page is fully constructed, and
I've also found it has performance issues on complex pages with a lot of
nodes, so for those kinds of pages I just create the page with the
dynamic content first, send it through the filter, then create the nodes
for static content I know is clean and use DOMDocument facilities to add
those nodes before outputing the page to the client.
It's not possible to completely implement CSP server side, but the class
will catch most violations of a CSP policy and thus give some protection
to users who are not running a CSP aware web browser.
Another gotcha with the class, it seems importHTML() is not mb safe so
if using importHTML() to get the document into a DOMDocument object for
filtering, and the document contains any multi-byte characters, it seems
libxml2 will encode them and there seems to be no way to stop it from
doing it (at least with the php wrapper to libxml2). However if the
document to be filtered is xhtml, you can use importXML() on it libxml2
does the right thing in leaving the mb characters alone. Once filtered,
you can use saveHTML() to produce html instead of xhtml for browser
compatibility, it seems saveHTML() is mb safe.
More information about the CentOS