| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Dec 2014 22:21:12 +0100
From: "A. W." <a.l.g.m.wetzels@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Yii framework CmsInput extension improper XSS sanitation
[+] Yii framework CmsInput extension [1] improper XSS sanitation
[+] Discovered by: Jos Wetzels
[+] Affects: Yii framework CmsInput extension <= version 1.2
Yii framework's CmsInput extension versions 1.2 and prior suffer from
an improper XSS sanitation implementation, which has now been resolved
in cooperation with the author [2], introducing XSS vulnerabilities in
web applications developed by third-party framework users [3].
CmsInput is an extension of the Yii framework designed to wrap
HtmlPurifier and the Codeigniter Security class in a single component
for user-input sanitation. The problem resides in CmsInput's default
cleaning method stripClean in CmsInput.php:
public function stripClean($str)
{
return $this->xssClean($this->stripTags($str));
}
What happens is that stripTags is called on the user-supplied input
before xssClean is called. stripTags is designed to eliminate all HTML
and PHP tags from the user-supplied input by wrapping PHP's strip_tags
[4] function. xssClean is a wrapper for Codeigniter's xss_clean [5]
function, which aims to strip user-supplied input of all suspicious
XSS-related input. Within xssClean, the user-supplied input is
URL-decoded before further processing:
$str = rawurldecode($str);
The problem arises when stripClean is used to sanitize a URL-encoded
user-supplied string, which is then later used under the assumption it
was stripped of all possible XSS vectors. Since stripTags simply
eliminates all raw HTML
and PHP tags and a URL-encoded string contains none, the string gets
passed to xssClean in unchanged form, where it will be URL-decoded
into a string containing HTML tags, thus allowing injection of (a
limited subset of) HTML elements in uninteded locations.
Proof of Concept:
stripClean("%3Cimg%20src%20%3D%20%22http%3A%2F%2Ftest.com%2Fcsrf.php%22%3E")
= '<img src = "http://test.com/csrf.php">'
[*] Mitigation:
Upgrade to CmsInput version 1.3 [2]
[*] References:
1. http://www.yiiframework.com/extension/input/
2. http://www.yiiframework.com/extension/input/#hh7
3. Eg.: https://www.humhub.org/
4. http://php.net/manual/en/function.strip-tags.php
5. https://ellislab.com/codeigniter/user-guide/libraries/security.html
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists