Re: Bypass XSS filter in PHPNUKE 7.9=>x

Paul Laudanski <zx@xxxxxxxxxxxxxx> · Fri, 16 Dec 2005 20:21:07 -0500 (EST)

On 14 Dec 2005 max@xxxxxxxxxxxx wrote:

> [Bypass XSS filter in PHPNUKE 7.9=>x cXIb8O3.21]
> 
> 2.0 http://[HOST]/[DIR]/modules.php?name=Search
> 
> Insert:
> 
> <iframe src=http://securityreason.com?phpnuke79 <
> 
> And have you xss.
> 
> 2.1 http://[HOST]/[DIR]/modules.php?name=Web_Links
> 
> Insert:
> 
> <iframe src=http://securityreason.com?phpnuke79 <
> 
> 	foreach ($_POST as $secvalue) {
> 		if ((eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*onmouseover*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]script*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]*body*\"?[^>]*", $secvalue)) ||
> 		(eregi("<[^>]style*\"?[^>]*", $secvalue))) 
> 		{
> 			die ($htmltags);
> 		}
> 	}
> 
> thx nukefixes.com
> 
> 
> - --- 4. Greets ---
> 
> sp3x, nukefixes.com
> Author: Maksymilian Arciemowicz < cXIb8O3 >
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com

Thanks for the information but the filtering doesn't make any sense.  Any 
data that is accepted is to be considered tainted and dealt with 
appropriately.  This doesn't apply to just Web_Links or Search modules, 
but also other modules such as Forums.

If I take your exact example code:

<iframe src=http://securityreason.com?phpnuke79 <

And post it to a forum post in a [CODE][/CODE] block to discuss, I'll be 
thrown an exception per your code because it'll be caught by your HTTP 
POST filtering.  

What you need to do is use htmlentities or htmlspecialchar to sanitize 
data before it's displayed to the user.  Your "fix" will easily break many 
sites that are focused on programming discussions.  Its important to know 
how to "filter" input properly.

One other problem is you are removing the stock filters from being called 
upon if ADMIN_FILE is defined.  Problem here is if the admin's account 
gets hijacked, there is no code to prevent admin from instantiating a 
malformed request or post.  XSS, CRSF, you name it...

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com