| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0610221056010.22129@fingers.shocking.com>
Date: Sun, 22 Oct 2006 11:06:21 -0700 (PDT)
From: RSnake <rsnake@...cking.com>
To: mrapples@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Simple Machines Forum (SMF) XSS issue
I wouldn't rely on that library by itself. As I emailed Kallahar quite
a while ago about it is still vulnerable to at least one issue:
<IMG
SRC=ja&#x09;vascrip&#x09;t:alert(String.fromCharCode(88,83,83));>
This works in IE6.0 and Opera 9.0. What it is doing is converting HTML
entities into their ASCII equivalent. By doing that he is changing my
string, "&#x09;" into "	" which is a newline, and injected
within the javascript directive it breaks it up. This is a pretty good
example of why conversion filters can be used against you.
-RSnake
http://ha.ckers.org/
http://sla.ckers.org/
On Sat, 21 Oct 2006, mrapples@...il.com wrote:
> Good find on this.
>
> Here is the fix I applied:
>
> Find on line ~85 in Sources/Search.php:
>
> foreach ($temp_params as $i => $data)
> {
> @list ($k, $v) = explode('|\'|', $data);
> $context['search_params'][$k] = stripslashes($v);
> }
>
>
> Change to:
>
> foreach ($temp_params as $i => $data)
> {
> @list ($k, $v) = explode('|\'|', $data);
> $context['search_params'][$k] = RemoveXSS(stripslashes($v));
> }
>
>
> The RemoveXSS function is taken from the following site:
> http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php
>
> I hope that handles all the issue related to this.
Powered by blists - more mailing lists