summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--index.php9
-rw-r--r--xss-check.php.sample48
3 files changed, 58 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index 5df2997..3d2b2cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
msg/*
conf.php
+xss-check.php
.htaccess
*.bak
diff --git a/index.php b/index.php
index 1148b1d..ad16995 100644
--- a/index.php
+++ b/index.php
@@ -2,6 +2,15 @@
// What directory are we in on the server.
define('BASEPATH', dirname(__FILE__));
+$xss_file = BASEPATH.'/xss-check.php';
+if (file_exists($xss_file)) {
+ require($xss_file);
+ if (xss_attack()) {
+ echo "execution halted to prevent XSS attack.";
+ exit();
+ }
+}
+
// Decide where to look for things
define('LIBPATH', BASEPATH.'/src/lib'.PATH_SEPARATOR.BASEPATH.'/src/ext');
define('MODELPATH', BASEPATH.'/src/models');
diff --git a/xss-check.php.sample b/xss-check.php.sample
new file mode 100644
index 0000000..bfc7973
--- /dev/null
+++ b/xss-check.php.sample
@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * We don't automatically set this up, because it depends on server
+ * configuration.
+ *
+ * This is a sample, it's what I use on mckenzierobotics.org
+ * So, it may help you to know that I have several systems interacting there.
+ * http://mckenzierobotics.org/ Base of entire site
+ * http://mckenzierobotics.org/mm/ WordPress
+ * http://mckenzierobotics.org/wp/ MessageManager
+ *
+ * The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT
+ * include the hostname.
+ *
+ * The idea of this approach is we inspect the HTTP_REFERER to decide if the
+ * user came from an acceptable URL. This is tricky because this isn't
+ * nescessarily just URLs inside of MessageManager's "baseurl", and URLs from
+ * inside of "baseurl" might not be trusted (like email body files).
+ */
+function xss_attack() {
+ $siteurl = 'http://mckenzierobotics.org/';// basic trusted base
+ $mmurl = $siteurl.'mm/';// where MessageManager is
+
+ if (!isset($_SERVER['HTTP_REFERER']))
+ return false;
+
+ $from = $_SERVER['HTTP_REFERER'];
+ $method = $_SERVER['REQUEST_METHOD'];
+
+ switch ($method) {
+ case 'PUT': break;
+ case 'POST': break;
+ case 'GET': return false; break;
+ case HEAD: return false; break;
+ default: break;
+ }
+
+ if (substr($from,0,strlen($siteurl)) != $siteurl)
+ return true;
+
+ $messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@';
+ if (preg_match($messages, $from))
+ // Someone cleverly tried to XSS us from inside a message
+ return true;
+
+ return false;
+} \ No newline at end of file