security/2008/css-backslash.xhtml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   3   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   4 <html
   5   xmlns="http://www.w3.org/1999/xhtml"
   6   xmlns:xi="http://www.w3.org/2001/XInclude"
   7   xml:lang="en">
   8 <head>
   9   <title>CSS Backslash Full Disclosure - Security - HTML Purifier</title>
  10   <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
  11   <meta name="description" content="Full disclosure security page detailing the Shift_JIS CSS backslash attack." />
  12   <meta name="keywords" content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, 3.1.1, attack, full disclosure, xss, security, shift_jis, backslash, css" />
  13 </head>
  14 <body>
  15
  16 <xi:include href="common-header.xml" xpointer="xpointer(/*/node())" />
  17
  18 <div id="main">
  19 <h1 id="title"><abbr>CSS</abbr> Backslash Full Disclosure</h1>
  20
  21 <div id="content">
  22
  23 <p>
  24   A poorly coded escaping algorithm for <abbr>CSS</abbr> strings
  25   in the <code>font-family</code> property could allow a clever attacker
  26   to escape from the string and execute arbitrary JavaScript via
  27   <abbr>CSS</abbr>.
  28 </p>
  29
  30 <p>
  31   This vulnerability was reported privately to the vendor by
  32   <a href="http://d.hatena.ne.jp/teracc/">Takeshi Terada</a>.
  33   No active exploits are currently known.
  34 </p>
  35
  36 <h2 id="Fix">Fix</h2>
  37
  38 <p>
  39   This vulnerability was fixed in HTML Purifier 3.1.1 and 2.1.5.
  40 </p>
  41
  42 <h2 id="Details">Details</h2>
  43
  44 <p>
  45   The algorithm sucked. In it's old form, it used two string replaces:
  46 </p>
  47
  48 <pre><![CDATA[
  49 $font = str_replace("'", "\\'", $font);
  50 $font = str_replace("\n", "\\\n", $font);
  51 ]]></pre>
  52
  53 <p>
  54   ...to escape magical characters. The problem with
  55   this algorithm was the fact that backslashes
  56   were not handled; thus, by prepending a single quote with a backslash
  57   would break this primitive protection. A hotfix was applied for this,
  58   however, this broke Unicode character escapes in CSS, which take
  59   the form of \uXXXX.
  60 </p>
  61
  62 <p>
  63   The final solution was to rewrite all of the escaping code to iterate
  64   through the value of <code>font-family</code>, performing appropriate
  65   tests when a backslash was encountered of the later characters,
  66   and translating UTF-8 escapes to their literal equivalents.
  67 </p>
  68
  69 <h2 id="History">History</h2>
  70
  71 <p>
  72   The vulnerability was reported on May 23, 2008 via email.
  73   Two patches were committed to fix this issue, one on
  74   <a href="http://repo.or.cz/w/htmlpurifier.git?a=commit;h=10530d7f815803493df150fa07080669796bd33a">May 24, 2008</a>
  75   and one on <a href="http://repo.or.cz/w/htmlpurifier.git?a=commit;h=bb16d8eae571dd4e30e3a62cce03d436d46cefaf">May 25, 2008</a>.
  76   HTML Purifier 3.1.1 was released on June 19, 2008.
  77 </p>
  78
  79 </div>
  80 </div>
  81
  82 </body>
  83 </html>