lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002801c361e6$a6a724d0$0300a8c0@kuht800>
Date: Thu, 14 Aug 2003 00:02:55 +0200
From: "kain" <masterkain@...t.it>
To: "Frog Man" <leseulfrog@...mail.com>, <bugtraq@...urityfocus.com>,
	<vulnwatch@...nwatch.org>
Subject: Re: BBCode XSS in XOOPS CMS


confirmed on xoops 1.3.10 with a pure module.textsanitizer.php .
xoops' 1.3.x users should modify their class/module.textsanitizer.php .
raw patch:

----------------
[.....]
 function xoopsCodeDecode($text){
  $patterns = array();
  $replacements = array();
  $patterns[] = "/\[url=(['\"]?)(http[s]?:\/\/[^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='\\2' target='_blank'>\\3</a>";
  $patterns[] = "/\[url=(['\"]?)([^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='http://\\2' target='_blank'>\\3</a>";

  //xss bug fix :°D

  $patterns[] = "/\[color=(['\"]?)([a-zA-Z0-9]*)\\1](.*)\[\/color\]/sU";
  $replacements[] = '<span style="color: #\\2;">\\3</span>';
  $patterns[] = "/\[size=(['\"]?)([a-z0-9-]*)\\1](.*)\[\/size\]/sU";
  $replacements[] = '<span style="font-size: \\2;">\\3</span>';
  $patterns[] = "/\[font=(['\"]?)([^;<>\*\(\)\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = '<span style="font-family: \\2;">\\3</span>';

  /*
  $patterns[] = "/\[color=(['\"]?)([^\"']*)\\1](.*)\[\/color\]/sU";
  $replacements[] = "<span style='color: #\\2;'>\\3</span>";
  $patterns[] = "/\[size=(['\"]?)([^\"']*)\\1](.*)\[\/size\]/sU";
  $replacements[] = "<span style='font-size: \\2;'>\\3</span>";
  $patterns[] = "/\[font=(['\"]?)([^\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = "<span style='font-family: \\2;'>\\3</span>";
  */

  $patterns[] = "/\[email]([^;<>\*\(\)\"']*)\[\/email\]/sU";
  $replacements[] = '<a href="mailto:\\1">\\1</a>';

  /*
  $patterns[] = "/\[email]([^\"']*)\[\/email\]/sU";
  $replacements[] = "<a href='mailto:\\1'>\\1</a>";
  */

  //end xss fix

[...]
---rest of file

kain
kuht.it wizard

----- Original Message ----- 
From: "Frog Man" <leseulfrog@...mail.com>
To: <bugtraq@...urityfocus.com>; <vulnwatch@...nwatch.org>
Sent: Wednesday, August 13, 2003 1:32 PM
Subject: BBCode XSS in XOOPS CMS


> Informations :
> °°°°°°°°°°°°°
>
> Language : PHP
> Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
> Safe Version : 2.0.3
> Website : http://www.xoops.org
> Problem : BBcode XSS

[snip]

> function url() from style tag (css) and vbscript are used here to redirect
> to the url "abcdef" + the cookie with the bbcode tags [color] [size] and
> [font].
> Another style function that could be used is expression().
>
> Patch :
> °°°°°°
> Just download the las version of XOOPS (2.0.3).



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ