lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 2 Dec 2014 22:21:12 +0100
From: "A. W." <>
Subject: [FD] Yii framework CmsInput extension improper XSS sanitation

[+] Yii framework CmsInput extension [1] improper XSS sanitation
[+] Discovered by: Jos Wetzels
[+] Affects: Yii framework CmsInput extension <= version 1.2

Yii framework's CmsInput extension versions 1.2 and prior suffer from
an improper XSS sanitation implementation, which has now been resolved
in cooperation with the author [2], introducing XSS vulnerabilities in
web applications developed by third-party framework users [3].
CmsInput is an extension of the Yii framework designed to wrap
HtmlPurifier and the Codeigniter Security class in a single component
for user-input sanitation. The problem resides in CmsInput's default
cleaning method stripClean in CmsInput.php:

    public function stripClean($str)
        return $this->xssClean($this->stripTags($str));

What happens is that stripTags is called on the user-supplied input
before xssClean is called. stripTags is designed to eliminate all HTML
and PHP tags from the user-supplied input by wrapping PHP's strip_tags
[4] function. xssClean is a wrapper for Codeigniter's xss_clean [5]
function, which aims to strip user-supplied input of all suspicious
XSS-related input. Within xssClean, the user-supplied input is
URL-decoded before further processing:

$str = rawurldecode($str);

The problem arises when stripClean is used to sanitize a URL-encoded
user-supplied string, which is then later used under the assumption it
was stripped of all possible XSS vectors. Since stripTags simply
eliminates all raw HTML
and PHP tags and a URL-encoded string contains none, the string gets
passed to xssClean in unchanged form, where it will be URL-decoded
into a string containing HTML tags, thus allowing injection of (a
limited subset of) HTML elements in uninteded locations.

Proof of Concept:

= '<img src = "">'

[*] Mitigation:
Upgrade to CmsInput version 1.3 [2]

[*] References:

3. Eg.:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists