Topic: How dangerous is eval()?

Just wondering exactly what sort of bad things people can do with eval if they somehow managed to get a variabled into something you were going eval.


Can they actually do any damage or will it just cause the javascript to do something on their browser only?


I have read about some os.system stuff but I think that is just to do with python.

It will cause the JavaScript to do something on their browser only. However, if any of a user's input is stored on the server and then put back into web pages for others to see (such as on a forum), if it then got put into an eval, it would be as dangerous as if it were not stripped of HTML tags.

Yeh i see what you mean, but its not like with python where they can actually delete files from your PC with eval().

And its a one way thing, im sending from PHP to javascript. I cant think of a way they can abuse what im doing, just wanted to make sure what the worst case was.

eval() is evil! plain and simple.

It forces the JavaScript engines to re-parse a chunk of script and have no security whatsover.

As for the criticality, for instance the eval() can be used to exploit any of security gaps listed on Secunia's advisories for:

• Microsoft Internet Explorer 6.x
• Mozilla Firefox 1.x
• Opera 8.x

At best, in case of a malicious usage, your website would be defaced and the user gratified with goatse and tubegirl. At worst the user would have some serious problems with his/her computer.

Oh, script injection in JSON is a piece of cake. There's plenty of sites explaining how to do it.



(Edited by poi on 08-08-2006 08:35)

<insert sly smile here>

Makes one's blood boil when they don't get it, uh?
And when they're -certain- they got it right, but still don't understand fully, it's even worse.

quote:

---

I cant think of a way they can abuse what im doing,

---

Hackers love things you can't think about. Leave no room for possible abuse whenever you can
if security matters.
If you -need- to use eval, there is room for loads of improvement in your code already,
because you should never need one specific function that badly.

And I'll stress that again: don't think -they- can't think of a way to screw you because you can't.

Yeh the only thing i am using eval for is JSON, will have to look up the sites with the script injection. I am parsing the data that comes to the eval function before it is eval()ed, so if you think they can still do damage let me know.


The reason i dont see a way they can abuse the current system is that every input is verified, i have a bunch of regex functions which control what people can use in the inputs etc.

And the only stuff going from php to JSON and through the eval function is either hard coded messages or variables i am returning from my database. Nothing that is directly related to user input goes through the eval...

The front end of the website doesnt use JSON or eval() at all either, its only in the content managment system which the client logs into. So the client once logged in would have to do the malicous act also, which while itself is very low risk - i still want to make sure some clients employee who is one day getting the sack, cant destroy the system.

quote:

---

And I'll stress that again: don't think -they- can't think of a way to screw you because you can't.

---

That is why i posted here...