XSS Filter messing with MD5 values / Forums / Community / EllisLab

Forum Logo

XSS Filter messing with MD5 values

Posted: 08 October 2012 07:31 PM

[ Ignore ]

Joined: 2010-10-05
30 posts

I decided that it would be wiser to turn on the global_xss_filtering, but unfortunately, about 1% of my users had password mismatch issues. I tracked it down to the fact that some md5’s were being generated differently when the XSS filter was on.

Here is my test controller code:

function testing()
 {
  $data['version'] = CI_VERSION;
  $data['testing'] = $this->input->post('testing');
  $data['testing_xss'] = $this->input->post('testing', TRUE);
  $data['md5_testing'] = md5($this->input->post('testing'));
  $data['md5_testing_xss'] = md5($this->input->post('testing', TRUE));
  $this->load->view('testing', $data);
 } 

And here is my test view code:

<?php
echo form_open('welcome/testing');
echo '<p>' . $version . '</p>';
echo 'Testing: ' . form_input('testing', set_value('testing'));
echo form_submit('submit','Submit');
echo form_close();

if ($testing)
{
 echo "Testing: " . $testing . '<br>';
 echo "Testing XSS: " . $testing_xss . '<br>';
 echo "MD5 Testing: " . $md5_testing . '<br>';
 echo "MD5 Testing XSS: " . $md5_testing_xss . '<br>';
}
?> 

One of the combinations that seems to cause the issue is if the value has “&sq;” in it. For example here is the output of a page with that value submitted:

1.7.2

Testing:
Testing: &sq;
Testing XSS: &sq;
MD5 Testing: af6c44d3d1bb087f014d1bcb5916f6a4
MD5 Testing XSS: 3247fc1749af230a49e4d19cda68c6fa

Now, if I run &sq; through md5 in my command line, I get the value that matches when the XSS filter is off: af6c44d3d1bb087f014d1bcb5916f6a4

Is this a bug? What exactly is the XSS filter turning my text into that md5() is generating a different hash for it?

skunkbad

Posted: 08 October 2012 08:05 PM

[ Ignore ] [ # 1 ] [ Rating: 0 ]

Joined: 2009-05-17
1415 posts

It’s probably turning the ampersand in “&sq;” into


&amp;

, so it’s probably looking like this


&amp;sq;

. Check your source and see.

Global XSS filtering is a waste of resources. xss_clean is a pretty heavy function, and it will get called everytime you post. Even values that are already being validated as int, float, etc will get passed through xss_clean. You don’t need that.

Signature

Brian
Brian’s Web Design - Temecula
Community Auth - CodeIgniter Authentication Application

jaydisc

Posted: 09 October 2012 12:05 AM

[ Ignore ] [ # 2 ] [ Rating: 0 ]

Joined: 2010-10-05
30 posts

Weirdly, it’s turning “&sq;” into “&sq;”. Here is the output wrapped in <pre>:

Testing:
Testing: &sq;
Testing XSS: &sq;
MD5 Testing: af6c44d3d1bb087f014d1bcb5916f6a4
MD5 Testing XSS: 3247fc1749af230a49e4d19cda68c6fa

So, if I don’t use global filtering, in what situations should I apply filtering?

UPDATE:

Actually, it looks like the forum here is applying the filter and mangling the code (even my original post got mangled). Basically, I’m not entering a semi-colon after the sq, but the XSS filter is adding one. Here is an image of what it actually looks like:http://cl.ly/K1GK. Is that a bug?

Aken

Posted: 09 October 2012 01:00 AM

[ Ignore ] [ # 3 ] [ Rating: 0 ]

Joined: 2007-11-28
2435 posts

I would advise not running XSS filtering on passwords. Passwords should be exactly what the user enters. And as long as you are changing its value (MD5 in your case) before saving it to the database, you shouldn’t need to worry about any SQL injection.

I would advise using a much better password hashing solution, though. MD5 is not secure. Use it to test and learn, but for production websites, you should find better (such as PHPass / bcrypt / blowfish).

The new semicolon could be a bug, though. Maybe a regular expression that is not specific enough. If you know how to create an issue on Github, you should mention this on the CodeIgniter Github repo so it receives more attention.

Also, if the 1.7.2 in your quote is the version of CodeIgniter you’re using, upgrading to the latest stable release is definitely encouraged.

jaydisc

Posted: 10 October 2012 09:54 PM

[ Ignore ] [ # 4 ] [ Rating: 0 ]

Joined: 2010-10-05
30 posts

I’ve upgraded to 1.7.3 and this (bug?) still occurs. My personal code and app issues have been resolved, so my only remaining goal is notifying the powers that be. I’m not familiar with use of Github.

Aken

Posted: 10 October 2012 11:09 PM

[ Ignore ] [ # 5 ] [ Rating: 0 ]

Joined: 2007-11-28
2435 posts

1.7.3 is a non-supported old version of CI. You should upgrade to the newest version if you can. Or, as I recommended, avoid using xss_clean on the password field in the first place.

jaydisc

Posted: 10 October 2012 11:15 PM

[ Ignore ] [ # 6 ] [ Rating: 0 ]

Joined: 2010-10-05
30 posts

I think we’re having a slight disconnect here. I don’t need help with my app (but I thank you). Rather, I’m just offering up the possibility that this might be a bug, which I thought this section of the forums was for? If no one cares about bugs in 1.7.3, please ignore this. If someone does care, and/or has access to and wants to see if this bug exists in the current version, I’ve presented a simple test for doing so.