lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 2 Dec 2014 22:21:12 +0100
From: "A. W." <a.l.g.m.wetzels@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Yii framework CmsInput extension improper XSS sanitation

[+] Yii framework CmsInput extension [1] improper XSS sanitation
[+] Discovered by: Jos Wetzels
[+] Affects: Yii framework CmsInput extension <= version 1.2

Yii framework's CmsInput extension versions 1.2 and prior suffer from
an improper XSS sanitation implementation, which has now been resolved
in cooperation with the author [2], introducing XSS vulnerabilities in
web applications developed by third-party framework users [3].
CmsInput is an extension of the Yii framework designed to wrap
HtmlPurifier and the Codeigniter Security class in a single component
for user-input sanitation. The problem resides in CmsInput's default
cleaning method stripClean in CmsInput.php:

    public function stripClean($str)
    {
        return $this->xssClean($this->stripTags($str));
    }

What happens is that stripTags is called on the user-supplied input
before xssClean is called. stripTags is designed to eliminate all HTML
and PHP tags from the user-supplied input by wrapping PHP's strip_tags
[4] function. xssClean is a wrapper for Codeigniter's xss_clean [5]
function, which aims to strip user-supplied input of all suspicious
XSS-related input. Within xssClean, the user-supplied input is
URL-decoded before further processing:

$str = rawurldecode($str);

The problem arises when stripClean is used to sanitize a URL-encoded
user-supplied string, which is then later used under the assumption it
was stripped of all possible XSS vectors. Since stripTags simply
eliminates all raw HTML
and PHP tags and a URL-encoded string contains none, the string gets
passed to xssClean in unchanged form, where it will be URL-decoded
into a string containing HTML tags, thus allowing injection of (a
limited subset of) HTML elements in uninteded locations.

Proof of Concept:

stripClean("%3Cimg%20src%20%3D%20%22http%3A%2F%2Ftest.com%2Fcsrf.php%22%3E")
= '<img src = "http://test.com/csrf.php">'

[*] Mitigation:
Upgrade to CmsInput version 1.3 [2]

[*] References:

1. http://www.yiiframework.com/extension/input/
2. http://www.yiiframework.com/extension/input/#hh7
3. Eg.: https://www.humhub.org/
4. http://php.net/manual/en/function.strip-tags.php
5. https://ellislab.com/codeigniter/user-guide/libraries/security.html

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists