Archive for Декабрь, 2013

Hash Length Extension in HTMLPurifier

HTMLPurifier is a PHP library that helps to protect against XSS by filtering bad HTML and only allowing harmless markup. Recently a new version of HTMLPurifier has been released that fixes a hash length extension issue that I reported some time ago.
Hash length extension is a crypto attack against algorithms based on Merkle-Damgard construction (md5, sha1, etc) that allows to inject arbitrary characters into the signed data without knowing the secret key. A typical vulnerable piece of code looks like this:

if hash(secret + value) == signature:

With hash length extension we can append our data to the «value» and generate such a new signature that will satisfy the expression above. More information on this kind of attack can be found in this great article.

One of HTMLPurifier’s filters, namely URIFilter.Munge, can rewrite links to some custom address. It has also an ability to generate signatures that will protect these links from altering. However this is done in a way prone to hash length extension:

if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey . ':' . $string);

Web applications that rely on this signature to check the links, for example in URL redirectors or before placing them in the DB, may be vulnerable (for example Invision Power Board), because arbitrary data can be appended despite unknown secret.

Now HTMLPurifier uses secure HMAC-SHA256 to generate and verify signatures. Upgrade to 3.6.0 and be safe.