XSS issues with listcontent.php and listusertargs.php

A place to discuss the testing process in beta cycles or against SVN for the CMS Made Simple CORE package.
Locked
arwan

XSS issues with listcontent.php and listusertargs.php

Post by arwan »

Hi,

I recently discovered a very straightforward XSS vulnerability with /admin/listcontent.php and /admin/listusertags.php. Using an URL like /admin/listcontent.php?message=%3Cscript%3Ealert('XSS')%3C/script%3E will expose the vulnerability.
IMHO, the most appropiate fix would be to only allow alphanumeric characters (also '_' and '-') in the message key, and sanitize it in /lib/translation.functions.php like this:

Code: Select all

--- /home/arwan/tmp/cmsmadesimple-1.0beta4/lib/translation.functions.php        2006-03-28 03:14:43.000000000 +0200
+++ lib/translation.functions.php       2006-08-13 13:45:43.000000000 +0200
@@ -51,6 +51,9 @@
                return '';
        }
 
+       # sanitize $name
+       $name = preg_replace('/[^\w\d_-]/', '', $name);
+
        //echo strtolower(get_encoding()) . ':' . strtolower($nls['encoding'][$gCms->current_language]);
 
        $result = '';
Top
arwan

Re: XSS issues with listcontent.php and listusertargs.php

Post by arwan »

Forget about the fix I proposed in the previous message, as it requires the overhead of the Perl regexp engine each time you want a string translated. A better fix would probably be:

Code: Select all

--- /tmp/cmsmadesimple-1.0beta4/admin/listusertags.php       2006-07-04 03:30:33.000000000 +0200
+++ admin/listusertags.php      2006-08-13 15:19:36.000000000 +0200
@@ -37,9 +37,7 @@
 
 include_once("header.php");
 
-if (FALSE == empty($_GET['message'])) {
-    echo $themeObject->ShowMessage(lang($_GET['message']));
-}
+echo $themeObject->ShowMessage('', 'message');
 
 echo '<div class="pagecontainer">';
 echo '<div class="pageoverflow">';

--- /tmp/cmsmadesimple-1.0beta4/lib/classes/class.admintheme.inc.php 2006-08-07 02:30:04.000000000 +0200
+++ lib/classes/class.admintheme.inc.php        2006-08-13 15:30:41.000000000 +0200
@@ -1652,9 +1652,10 @@
       $output = '<div class="pagemcontainer"';
       if (FALSE == empty($get_var))
        {
-         if (FALSE == empty($_GET[$get_var]))
+         $sanitized_var = preg_replace('/[^\w\d_-]/', '', $_GET[$get_var]);
+         if (FALSE == empty($sanitized_var))
            {
-             $message = lang($_GET[$get_var]);
+             $message = lang($sanitized_var);
            }
          else
            {
Top
Locked

Return to “[locked] Quality Assurance”