FUDforum: FUDforum Suggestions » Cleaning of Entered data / "Invalid Encoding Attack"

Home » FUDforum » FUDforum Suggestions » Cleaning of Entered data / "Invalid Encoding Attack"

Show: Today's Messages :: Polls :: Message Navigator

Cleaning of Entered data / "Invalid Encoding Attack" [message #187500]

Sat, 30 June 2018 20:10

alopezie

Messages: 106
Registered: September 2003

Karma: 1

Senior Member

I had a "specialist" which put characters in the posting and title tags which resulted in some funny "vertical" text and strange letters ....
Someone was saying similar things can happen also in phpBB

So it would be better to clean the entered data.
The user suggested to use mb_check_encoding to prevent so-called "Invalid Encoding Attack".(http://php.net/manual/de/function.mb-check-encoding.php)

Alopezie.de - das Forum zum Thema Haarausfall

Report message to a moderator

Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187501 is a reply to message #187500]

Sun, 01 July 2018 07:25

naudefj

Messages: 3771
Registered: December 2004

Karma: 28

Senior Member
Administrator
Core Developer

I've never seen an "Invalid Encoding Attack" and don't know how much of an issue it really is.
Can your specialist maybe help with a patch?

Report message to a moderator

Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187502 is a reply to message #187501]

Sun, 01 July 2018 07:32

alopezie

Messages: 106
Registered: September 2003

Karma: 1

Senior Member

You see here that the data entered in the message header ("Testtesta") even shows up in source code "vertically". In this case he added letters behind "Testtesta" resulting in this strange vertical line of letters.

Also see the nice german logo in the message box.

/forum/index.php?t=getfile&id=6696&private=0

/forum/index.php?t=getfile&id=6696&private=0

/forum/index.php?t=getfile&id=6697&private=0

To prevent this I guess it would require just to add the php function "mb_check_encoding" in any data entry ....

Attachment: MWSnap213.jpg
(Size: 18.64KB, Downloaded 1976 times)
Attachment: MWSnap214.jpg
(Size: 78.52KB, Downloaded 2060 times)

Alopezie.de - das Forum zum Thema Haarausfall

[Updated on: Sun, 01 July 2018 07:34]

Report message to a moderator

Re: Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187503 is a reply to message #187502]

Sun, 01 July 2018 08:00

naudefj

Messages: 3771
Registered: December 2004

Karma: 28

Senior Member
Administrator
Core Developer

Annoying, but I guess not dangerous.
We can add it to check_post_form() in postcheck.int.t.
Can you assist with a patch?

Report message to a moderator

Aw: Re: Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187504 is a reply to message #187503]

Sun, 01 July 2018 08:11

alopezie

Messages: 106
Registered: September 2003

Karma: 1

Senior Member

Mmhmm I am myself not really a coder, and looking in the examples its beyond my scope.
But will send him the source code and ask him for help

Alopezie.de - das Forum zum Thema Haarausfall

Report message to a moderator

Aw: Re: Aw: Re: Cleaning of Entered data / "Invalid Encoding Attack" [message #187507 is a reply to message #187504]

Mon, 02 July 2018 06:44

alopezie

Messages: 106
Registered: September 2003

Karma: 1

Senior Member

he gave me the following reply:

Zitat:

Hello, I have checked this and would let that go!

Unfortunately, these are all valid special characters, which also occur in the UTF-8 character set.
The bad guys here are the ones here: Thai์๋lä์์๋n์๋der, who can make several ์๋๋์๋๋๋๋๋, but unfortunately there is no clear pattern here that could be used to filter.

Okay, this is not a security problem, so we may stay "as-is" for the moment - in case it becomes a flood we have to recheck

Alopezie.de - das Forum zum Thema Haarausfall

Report message to a moderator