You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by antoine <an...@gmail.com> on 2009/10/28 17:38:15 UTC
[users@httpd] Apache2 add module help !
Hello ,
Consider that i have an html , javascript , php site.
My goal is to somehow modify the html , javascript code before php
module does its stuff.
It is part of a javascript injection defense system. So i want to mark
benign javascript before
php module adds bad javascript code.
I first thought that an output filter is the solution but i suppose that
in the phase of the output filter
the chunks of data will be already produced after php code generation (
is that right ) ?? So the attack
is done and i will mark as benign that bad javascript injection code.
Is there a way to cope with this by adding a module-filter to apache and
not modify php module code ??
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache2 add module help !
Posted by Nick Kew <ni...@webthing.com>.
antoine wrote:
> Thank you guys for your propositions but don't focus in the security model.
> In general if i use an input filter can i modify the page's static html
> code
> before any dynamic code is inserted ??
If you run PHP as a filter, you could insert another filter in front
of it.
Otherwise, no chance. PHP reads its input straight from your disc.
Any filtering would have to be within the PHP.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache2 add module help !
Posted by antoine <an...@gmail.com>.
Nick Kew wrote:
> Morten K. Poulsen wrote:
>> On Wed, 2009-10-28 at 19:06 +0200, antoine wrote:
>>> Consider that we have an html form and a php script that handles the
>>> posted data.
>>> The scenario is that the bad guy writes in the form for example
>>> "<script> ... bad javascript code </script>" and post this so when the
>>> client get the page we have an attack.
>>
>> Apache is not the right point to protect against things like that. It
>> would be an ugly hack, which would easily be circumvented by the
>> attacker.
>>
>> Use PHP's htmlentities() or strip_tags() on the untrusted data, before
>> echoing it back to the clients. The manual pages explain how to do this.
>
> Nevertheless, mod_security offers some protection, where applications
> are problematic and can't be fixed.
>
> I don't know if it would help the OP, because I don't know the root
> cause of his problem.
>
Thank you guys for your propositions but don't focus in the security model.
In general if i use an input filter can i modify the page's static html code
before any dynamic code is inserted ??
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache2 add module help !
Posted by Nick Kew <ni...@webthing.com>.
Morten K. Poulsen wrote:
> On Wed, 2009-10-28 at 19:06 +0200, antoine wrote:
>> Consider that we have an html form and a php script that handles the
>> posted data.
>> The scenario is that the bad guy writes in the form for example
>> "<script> ... bad javascript code </script>" and post this so when the
>> client get the page we have an attack.
>
> Apache is not the right point to protect against things like that. It
> would be an ugly hack, which would easily be circumvented by the
> attacker.
>
> Use PHP's htmlentities() or strip_tags() on the untrusted data, before
> echoing it back to the clients. The manual pages explain how to do this.
Nevertheless, mod_security offers some protection, where applications
are problematic and can't be fixed.
I don't know if it would help the OP, because I don't know the root
cause of his problem.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache2 add module help !
Posted by "Morten K. Poulsen" <mo...@fabletech.com>.
On Wed, 2009-10-28 at 19:06 +0200, antoine wrote:
> Consider that we have an html form and a php script that handles the
> posted data.
> The scenario is that the bad guy writes in the form for example
> "<script> ... bad javascript code </script>" and post this so when the
> client get the page we have an attack.
Apache is not the right point to protect against things like that. It
would be an ugly hack, which would easily be circumvented by the
attacker.
Use PHP's htmlentities() or strip_tags() on the untrusted data, before
echoing it back to the clients. The manual pages explain how to do this.
Morten
--
Morten K. Poulsen <mo...@fabletech.com>
CTO, FableTech
http://fabletech.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache2 add module help !
Posted by antoine <an...@gmail.com>.
André Warnier wrote:
> antoine wrote:
>> Hello ,
>>
>> Consider that i have an html , javascript , php site.
>>
>> My goal is to somehow modify the html , javascript code before php
>> module does its stuff.
>> It is part of a javascript injection defense system. So i want to
>> mark benign javascript before
>> php module adds bad javascript code.
>>
>> I first thought that an output filter is the solution but i suppose
>> that in the phase of the output filter
>> the chunks of data will be already produced after php code generation
>> ( is that right ) ??
>
> Yes
>
> So the attack
>> is done and i will mark as benign that bad javascript injection code.
>>
>> Is there a way to cope with this by adding a module-filter to apache
>> and not modify php module code ??
>>
> Apart from the yes above, I cannot add much, because it is not very
> clear to me what you are trying to achieve, or what you are trying to
> protect against. You seem to say that it is the php which inserts the
> "bad" javascript code. But the php runs on your server, so that seems
> to be the right point to protect, and not later try to undo what it
> might have done. Or do you let any user load its own php stuff onto
> your server, and then just run it ?
Ok i will explain. Consider that we have an html form and a php script
that handles the posted data.
The scenario is that the bad guy writes in the form for example
"<script> ... bad javascript code </script>" and post this
so when the client get the page we have an attack.
So i want to separate the static javascript code from the dynamic one.
I want a filter to process the page before any dynamic content is
inserted for example by php module.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache2 add module help !
Posted by André Warnier <aw...@ice-sa.com>.
antoine wrote:
> Hello ,
>
> Consider that i have an html , javascript , php site.
>
> My goal is to somehow modify the html , javascript code before php
> module does its stuff.
> It is part of a javascript injection defense system. So i want to mark
> benign javascript before
> php module adds bad javascript code.
>
> I first thought that an output filter is the solution but i suppose that
> in the phase of the output filter
> the chunks of data will be already produced after php code generation (
> is that right ) ??
Yes
So the attack
> is done and i will mark as benign that bad javascript injection code.
>
> Is there a way to cope with this by adding a module-filter to apache and
> not modify php module code ??
>
Apart from the yes above, I cannot add much, because it is not very
clear to me what you are trying to achieve, or what you are trying to
protect against. You seem to say that it is the php which inserts the
"bad" javascript code. But the php runs on your server, so that seems
to be the right point to protect, and not later try to undo what it
might have done. Or do you let any user load its own php stuff onto
your server, and then just run it ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org