Re: BBCode XSS in XOOPS CMS

"kain" <masterkain@kuht.it> · Thu, 14 Aug 2003 00:02:55 +0200

confirmed on xoops 1.3.10 with a pure module.textsanitizer.php .
xoops' 1.3.x users should modify their class/module.textsanitizer.php .
raw patch:

----------------
[.....]
 function xoopsCodeDecode($text){
  $patterns = array();
  $replacements = array();
  $patterns[] = "/\[url=(['\"]?)(http[s]?:\/\/[^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='\\2' target='_blank'>\\3</a>";
  $patterns[] = "/\[url=(['\"]?)([^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='http://\\2' target='_blank'>\\3</a>";

  //xss bug fix :°D

  $patterns[] = "/\[color=(['\"]?)([a-zA-Z0-9]*)\\1](.*)\[\/color\]/sU";
  $replacements[] = '<span style="color: #\\2;">\\3</span>';
  $patterns[] = "/\[size=(['\"]?)([a-z0-9-]*)\\1](.*)\[\/size\]/sU";
  $replacements[] = '<span style="font-size: \\2;">\\3</span>';
  $patterns[] = "/\[font=(['\"]?)([^;<>\*\(\)\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = '<span style="font-family: \\2;">\\3</span>';

  /*
  $patterns[] = "/\[color=(['\"]?)([^\"']*)\\1](.*)\[\/color\]/sU";
  $replacements[] = "<span style='color: #\\2;'>\\3</span>";
  $patterns[] = "/\[size=(['\"]?)([^\"']*)\\1](.*)\[\/size\]/sU";
  $replacements[] = "<span style='font-size: \\2;'>\\3</span>";
  $patterns[] = "/\[font=(['\"]?)([^\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = "<span style='font-family: \\2;'>\\3</span>";
  */

  $patterns[] = "/\[email]([^;<>\*\(\)\"']*)\[\/email\]/sU";
  $replacements[] = '<a href="mailto:\\1";>\\1</a>';

  /*
  $patterns[] = "/\[email]([^\"']*)\[\/email\]/sU";
  $replacements[] = "<a href='mailto:\\1'>\\1</a>";
  */

  //end xss fix

[...]
---rest of file

kain
kuht.it wizard

----- Original Message ----- 
From: "Frog Man" <leseulfrog@hotmail.com>
To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>
Sent: Wednesday, August 13, 2003 1:32 PM
Subject: BBCode XSS in XOOPS CMS

> Informations :
> °°°°°°°°°°°°°
>
> Language : PHP
> Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
> Safe Version : 2.0.3
> Website : http://www.xoops.org
> Problem : BBcode XSS

[snip]

> function url() from style tag (css) and vbscript are used here to redirect
> to the url "abcdef" + the cookie with the bbcode tags [color] [size] and
> [font].
> Another style function that could be used is expression().
>
> Patch :
> °°°°°°
> Just download the las version of XOOPS (2.0.3).