lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 16 Dec 2005 20:21:07 -0500 (EST)
From: Paul Laudanski <zx@...tlecops.com>
To: max@...tsuper.pl
Cc: bugtraq@...urityfocus.com
Subject: Re: Bypass XSS filter in PHPNUKE 7.9=>x


On 14 Dec 2005 max@...tsuper.pl wrote:

> [Bypass XSS filter in PHPNUKE 7.9=>x cXIb8O3.21]
> 
> 2.0 http://[HOST]/[DIR]/modules.php?name=Search
> 
> Insert:
> 
> <iframe src=http://securityreason.com?phpnuke79 <
> 
> And have you xss.
> 
> 2.1 http://[HOST]/[DIR]/modules.php?name=Web_Links
> 
> Insert:
> 
> <iframe src=http://securityreason.com?phpnuke79 <
> 
> 	foreach ($_POST as $secvalue) {
> 		if ((eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*onmouseover*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]script*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*body*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]style*\"?[^>]*", $secvalue))) 
> 		{
> 			die ($htmltags);
> 		}
> 	}
> 
> thx nukefixes.com
> 
> 
> - --- 4. Greets ---
> 
> sp3x, nukefixes.com
> Author: Maksymilian Arciemowicz < cXIb8O3 >
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com

Thanks for the information but the filtering doesn't make any sense.  Any 
data that is accepted is to be considered tainted and dealt with 
appropriately.  This doesn't apply to just Web_Links or Search modules, 
but also other modules such as Forums.

If I take your exact example code:

<iframe src=http://securityreason.com?phpnuke79 <

And post it to a forum post in a [CODE][/CODE] block to discuss, I'll be 
thrown an exception per your code because it'll be caught by your HTTP 
POST filtering.  

What you need to do is use htmlentities or htmlspecialchar to sanitize 
data before it's displayed to the user.  Your "fix" will easily break many 
sites that are focused on programming discussions.  Its important to know 
how to "filter" input properly.

One other problem is you are removing the stock filters from being called 
upon if ADMIN_FILE is defined.  Problem here is if the admin's account 
gets hijacked, there is no code to prevent admin from instantiating a 
malformed request or post.  XSS, CRSF, you name it...

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ