CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

admin login page possible XSS vulnerability

https://forum.cmsmadesimple.org/viewtopic.php?t=6212

Page 1 of 1

admin login page possible XSS vulnerability

Posted: Mon Aug 14, 2006 11:17 am
by rich8715
See http://www.informit.com/articles/articl ... 03037&rl=1 for further info.

The admin login page appears to potentially be vulnerable to a similar exploit as detailed in the above url.

For example, if one enters the following:

lja" />Hello tag (with id of x) into the page.

This exploit is very similar to the one in the above url, and before someone says the size=15 limit will fix the problem, note that the input field that was exploited in the above url was a 25 character limit.  Note, also, that there are javascriptlets that will remove size limits on input fields in the browser, allowing an unlimited amount of text to be injected, potentally leading to the exploit from the url ablve.

The fix, the same as in the url above, the contents of the username and password fields should be filtered to remove bad characters (or better yet, filtered to only allow known good characters) before being repeated back to the page.  Not only that, but the password field should not be repeated back to the page, the user should have to retype the password again if they got something wrong with the userid/password combo.

Re: admin login page possible XSS vulnerability

Posted: Mon Aug 14, 2006 6:11 pm
by arwan
IMHO, filtering the username won't really fix this problem. The reason this vulnerability exists, is that the user input isn't properly escaped/encoded before returning it to the user... So that's why I propose the following easy fix:

Code: Select all

--- /tmp/cmsmadesimple-1.0beta4/admin/themes/default/login.php       2006-08-07 02:08:14.000000000 +0200
+++ admin/themes/default/login.php      2006-08-14 14:44:42.000000000 +0200
@@ -35,7 +35,7 @@
                                <div class="lbinput">
                                        <form method="post" action="login.php">
                                                <p>
-                                                       <input name="username" <?php if(!isset($_POST['username'])) echo 'class="defaultfocus"' ?> type="text" size="15" value="<?php echo (isset($_POST['username'])?$_POST['username']:'')?>" /><br />
+                                                       <input name="username" <?php if(!isset($_POST['username'])) echo 'class="defaultfocus"' ?> type="text" size="15" value="<?php echo (isset($_POST['username'])?cms_htmlentities($_POST['username']):'')?>" /><br />
                                                <?php if(isset($error) && $error!='') {
                                                  echo '<input class="lbpassword defaultfocus" name="password" type="password" size="15" /><br />';
                                                } else {
It scared the cr*p out of me when I saw the $_POST array in there, all naked and filthy.

Also, one the developers informed me that they have implemented generic URL filtering, which should also put a hold to the vulnerability. Nevertheless, it's still important to use cms_htmlentities where applicable.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited