admin login page possible XSS vulnerability

A place to discuss the testing process in beta cycles or against SVN for the CMS Made Simple CORE package.
Locked
rich8715

admin login page possible XSS vulnerability

Post by rich8715 »

See http://www.informit.com/articles/articl ... 03037&rl=1 for further info.

The admin login page appears to potentially be vulnerable to a similar exploit as detailed in the above url.

For example, if one enters the following:

lja" />Hello tag (with id of x) into the page.

This exploit is very similar to the one in the above url, and before someone says the size=15 limit will fix the problem, note that the input field that was exploited in the above url was a 25 character limit.  Note, also, that there are javascriptlets that will remove size limits on input fields in the browser, allowing an unlimited amount of text to be injected, potentally leading to the exploit from the url ablve.

The fix, the same as in the url above, the contents of the username and password fields should be filtered to remove bad characters (or better yet, filtered to only allow known good characters) before being repeated back to the page.  Not only that, but the password field should not be repeated back to the page, the user should have to retype the password again if they got something wrong with the userid/password combo.
Top
arwan

Re: admin login page possible XSS vulnerability

Post by arwan »

IMHO, filtering the username won't really fix this problem. The reason this vulnerability exists, is that the user input isn't properly escaped/encoded before returning it to the user... So that's why I propose the following easy fix:

Code: Select all

--- /tmp/cmsmadesimple-1.0beta4/admin/themes/default/login.php       2006-08-07 02:08:14.000000000 +0200
+++ admin/themes/default/login.php      2006-08-14 14:44:42.000000000 +0200
@@ -35,7 +35,7 @@
                                <div class="lbinput">
                                        <form method="post" action="login.php">
                                                <p>
-                                                       <input name="username" <?php if(!isset($_POST['username'])) echo 'class="defaultfocus"' ?> type="text" size="15" value="<?php echo (isset($_POST['username'])?$_POST['username']:'')?>" /><br />
+                                                       <input name="username" <?php if(!isset($_POST['username'])) echo 'class="defaultfocus"' ?> type="text" size="15" value="<?php echo (isset($_POST['username'])?cms_htmlentities($_POST['username']):'')?>" /><br />
                                                <?php if(isset($error) && $error!='') {
                                                  echo '<input class="lbpassword defaultfocus" name="password" type="password" size="15" /><br />';
                                                } else {
It scared the cr*p out of me when I saw the $_POST array in there, all naked and filthy.

Also, one the developers informed me that they have implemented generic URL filtering, which should also put a hold to the vulnerability. Nevertheless, it's still important to use cms_htmlentities where applicable.
Top
Locked

Return to “[locked] Quality Assurance”