[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0512162012550.18213-100000@bugsbunny.castlecops.com>
Date: Fri, 16 Dec 2005 20:21:07 -0500 (EST)
From: Paul Laudanski <zx@...tlecops.com>
To: max@...tsuper.pl
Cc: bugtraq@...urityfocus.com
Subject: Re: Bypass XSS filter in PHPNUKE 7.9=>x
On 14 Dec 2005 max@...tsuper.pl wrote:
> [Bypass XSS filter in PHPNUKE 7.9=>x cXIb8O3.21]
>
> 2.0 http://[HOST]/[DIR]/modules.php?name=Search
>
> Insert:
>
> <iframe src=http://securityreason.com?phpnuke79 <
>
> And have you xss.
>
> 2.1 http://[HOST]/[DIR]/modules.php?name=Web_Links
>
> Insert:
>
> <iframe src=http://securityreason.com?phpnuke79 <
>
> foreach ($_POST as $secvalue) {
> if ((eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*onmouseover*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]script*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]*body*\"?[^>]*", $secvalue)) ||
> (eregi("<[^>]style*\"?[^>]*", $secvalue)))
> {
> die ($htmltags);
> }
> }
>
> thx nukefixes.com
>
>
> - --- 4. Greets ---
>
> sp3x, nukefixes.com
> Author: Maksymilian Arciemowicz < cXIb8O3 >
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
Thanks for the information but the filtering doesn't make any sense. Any
data that is accepted is to be considered tainted and dealt with
appropriately. This doesn't apply to just Web_Links or Search modules,
but also other modules such as Forums.
If I take your exact example code:
<iframe src=http://securityreason.com?phpnuke79 <
And post it to a forum post in a [CODE][/CODE] block to discuss, I'll be
thrown an exception per your code because it'll be caught by your HTTP
POST filtering.
What you need to do is use htmlentities or htmlspecialchar to sanitize
data before it's displayed to the user. Your "fix" will easily break many
sites that are focused on programming discussions. Its important to know
how to "filter" input properly.
One other problem is you are removing the stock filters from being called
upon if ADMIN_FILE is defined. Problem here is if the admin's account
gets hijacked, there is no code to prevent admin from instantiating a
malformed request or post. XSS, CRSF, you name it...
--
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
Powered by blists - more mailing lists