| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Aug 2003 00:02:55 +0200
From: "kain" <masterkain@...t.it>
To: "Frog Man" <leseulfrog@...mail.com>, <bugtraq@...urityfocus.com>,
<vulnwatch@...nwatch.org>
Subject: Re: BBCode XSS in XOOPS CMS
confirmed on xoops 1.3.10 with a pure module.textsanitizer.php .
xoops' 1.3.x users should modify their class/module.textsanitizer.php .
raw patch:
----------------
[.....]
function xoopsCodeDecode($text){
$patterns = array();
$replacements = array();
$patterns[] = "/\[url=(['\"]?)(http[s]?:\/\/[^\"']*)\\1](.*)\[\/url\]/sU";
$replacements[] = "<a href='\\2' target='_blank'>\\3</a>";
$patterns[] = "/\[url=(['\"]?)([^\"']*)\\1](.*)\[\/url\]/sU";
$replacements[] = "<a href='http://\\2' target='_blank'>\\3</a>";
//xss bug fix :°D
$patterns[] = "/\[color=(['\"]?)([a-zA-Z0-9]*)\\1](.*)\[\/color\]/sU";
$replacements[] = '<span style="color: #\\2;">\\3</span>';
$patterns[] = "/\[size=(['\"]?)([a-z0-9-]*)\\1](.*)\[\/size\]/sU";
$replacements[] = '<span style="font-size: \\2;">\\3</span>';
$patterns[] = "/\[font=(['\"]?)([^;<>\*\(\)\"']*)\\1](.*)\[\/font\]/sU";
$replacements[] = '<span style="font-family: \\2;">\\3</span>';
/*
$patterns[] = "/\[color=(['\"]?)([^\"']*)\\1](.*)\[\/color\]/sU";
$replacements[] = "<span style='color: #\\2;'>\\3</span>";
$patterns[] = "/\[size=(['\"]?)([^\"']*)\\1](.*)\[\/size\]/sU";
$replacements[] = "<span style='font-size: \\2;'>\\3</span>";
$patterns[] = "/\[font=(['\"]?)([^\"']*)\\1](.*)\[\/font\]/sU";
$replacements[] = "<span style='font-family: \\2;'>\\3</span>";
*/
$patterns[] = "/\[email]([^;<>\*\(\)\"']*)\[\/email\]/sU";
$replacements[] = '<a href="mailto:\\1">\\1</a>';
/*
$patterns[] = "/\[email]([^\"']*)\[\/email\]/sU";
$replacements[] = "<a href='mailto:\\1'>\\1</a>";
*/
//end xss fix
[...]
---rest of file
kain
kuht.it wizard
----- Original Message -----
From: "Frog Man" <leseulfrog@...mail.com>
To: <bugtraq@...urityfocus.com>; <vulnwatch@...nwatch.org>
Sent: Wednesday, August 13, 2003 1:32 PM
Subject: BBCode XSS in XOOPS CMS
> Informations :
> °°°°°°°°°°°°°
>
> Language : PHP
> Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
> Safe Version : 2.0.3
> Website : http://www.xoops.org
> Problem : BBcode XSS
[snip]
> function url() from style tag (css) and vbscript are used here to redirect
> to the url "abcdef" + the cookie with the bbcode tags [color] [size] and
> [font].
> Another style function that could be used is expression().
>
> Patch :
> °°°°°°
> Just download the las version of XOOPS (2.0.3).
Powered by blists - more mailing lists