View previous topic :: View next topic |
Author |
Message |
harteg Site Admin
Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark
|
Posted: Thu Jul 21, 2005 10:58 am Post subject: CMSimple XXS vulnerable |
|
|
Fix:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;
should be replaced with:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));
Will be fixed in next beta.
Last edited by harteg on Tue Jul 26, 2005 12:07 pm; edited 1 time in total |
|
Back to top |
|
|
djot
Joined: 31 Dec 2003 Posts: 2436 Location: planet earth
|
Posted: Thu Jul 21, 2005 11:13 am Post subject: |
|
|
-
Edit:
The same may occur with all other used variables. So make sure you check them all (function sanitize() would be a good idea for this).
Also, I suggest to remove the link showing the XSS.
djot
PS: Why you (mis-)use cmsimple.de for this?
-
Last edited by djot on Thu Jul 21, 2005 12:06 pm; edited 6 times in total |
|
Back to top |
|
|
djot
Joined: 31 Dec 2003 Posts: 2436 Location: planet earth
|
Posted: Thu Jul 21, 2005 11:18 am Post subject: |
|
|
-
By the way ... searching for nothing ("", just clicking the search button) finds results on many pages.
djot
- |
|
Back to top |
|
|
Jens
Joined: 17 Oct 2004 Posts: 2271
|
Posted: Thu Jul 21, 2005 12:22 pm Post subject: |
|
|
but this seems to be only temporary? nothing is actually changed at the website...? |
|
Back to top |
|
|
djot
Joined: 31 Dec 2003 Posts: 2436 Location: planet earth
|
Posted: Thu Jul 21, 2005 12:27 pm Post subject: |
|
|
-
I was asking me the same, but did remove that from above.
You can't access anything with this, since the input is shown in an echo function (not in exec() or somethin alike).
So no access to PHP, nor files, nor cookies nor other variables. And adding JS XSS is totally useless, since everything you can access is clientside (the hackers browser).
All this example shows is that the search input (and I guess many more variables) are not checked for correct user input.
djot
- |
|
Back to top |
|
|
harteg Site Admin
Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark
|
|
Back to top |
|
|
djot
Joined: 31 Dec 2003 Posts: 2436 Location: planet earth
|
Posted: Tue Jul 26, 2005 2:38 pm Post subject: |
|
|
-
Harteg wrote: | (Removed the code and the link to cmsimple.de from my first posting). |
Thx. We don't want to wake up sleeping dogs, won't we? Also jens would feel better with this :)
djot
- |
|
Back to top |
|
|
mulder
Joined: 19 Jul 2005 Posts: 625 Location: Behind your ...
|
Posted: Thu Jul 28, 2005 12:10 pm Post subject: |
|
|
djot wrote: | By the way ... searching for nothing ("", just clicking the search button) finds results on many pages. |
Try something like :
Code: |
if($f=='search'){$title=$tx['title']['search'];$ta=array();for($i=0;$i<$hl;$i++){if($search!=''&&@preg_match('/'.preg_quote($search,'/').'/i',$c[$hc[$i]]))$ta[]=$hc[$i];}$o.='<h1>'.$tx['search']['result'].'</h1><p>"'.htmlspecialchars(stripslashes($search)).'" ';if(count($ta)==0)$o.=$tx['search']['notfound'].'.';else{$o.=$tx['search']['foundin'].' '.count($ta). ' ';if(count($ta)>1)$o.=$tx['search']['pgplural'];else $o.=$tx['search']['pgsingular'];$o.=':';}$o.='</p>'.li($ta,'search');} |
just added |
|
Back to top |
|
|
djot
Joined: 31 Dec 2003 Posts: 2436 Location: planet earth
|
Posted: Thu Jul 28, 2005 12:15 pm Post subject: |
|
|
well, this was a hint for Peter, to fix that in the official distribution... |
|
Back to top |
|
|
harteg Site Admin
Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark
|
|
Back to top |
|
|
walter_ps2
Joined: 29 Aug 2005 Posts: 1
|
Posted: Mon Aug 29, 2005 6:25 pm Post subject: |
|
|
I see that the fix is for only 2.4 version !
But I have a 2.3 also... do you have a solution for that old version ? Or it's better to upgrade to 2.4 and fix it ? |
|
Back to top |
|
|
harteg Site Admin
Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark
|
Posted: Tue Aug 30, 2005 7:09 am Post subject: |
|
|
I didn't fix it in 2.4 as far as I remember, but in the beta 2.5 - it is only the one-liner function printlink() needed to be update (see first post). |
|
Back to top |
|
|
|