Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Updating Clean Xss for 1.4?  (Read 3885 times)

centered

  • Guest
Updating Clean Xss for 1.4?
« on: June 05, 2007, 06:23:24 PM »

Per this thread: http://www.solucija.com/forum/viewtopic.php?id=4221
Quote
i believe i read somewhere that 1.4 was vulnerable to XSS cross site attacks due to the search field not being sanitized
I have some clients who are on the 1.4 version of sNews (text-db version).  Now seeing that 1.4 has a security flaw with Xss, could I update the XSS function with 1.6?  I have done so on a test install and changed any strings that had a clean in it, to mimic 1.6's clean strings, like so, found in 1.4's startup:

if (md5(clean(cleanXSS($_POST['Username']))) == s('username')

Would this be the correct way to go with this?  So far everything runs normally with the clean XSS' in place

Also for the main function calls, should I do the same?
for rinstance:
function cleanSEF($string) {

If I change it to:
function cleanSEF(cleanXSS($string)) {
I get errors

Now, since I have it implemented on a test version, how can I test this out to make sure it is working correctly?

And ultimatly what does this function do?

EDIT so far did a search testng XSS and it seems to be working good, I guess.  Nothing is passing through. but I will wait to hear from ou guys about this before I do anything
Logged

Joost

  • Guest
Updating Clean Xss for 1.4?
« Reply #1 on: June 05, 2007, 07:22:30 PM »

I am no expert on this, but wherever you see 'function' written, there is a function declaration. It is not doing anything yet, it is only telling what it will do, when it is called for. So no need to put it there.
Using cleanXSS where   clean is used, might be a good thing to do. However, where a string is being encrypted (md5), there is no need for that. The string will be harmless after being encrypted.
So  (md5(clean(cleanXSS($_POST['Username']))) is not needed (in // STARTUP).
md5($_POST['Username']) will do.
I repeat  I am no expert (a copy/paste expert maybe ;) ) , so read codetwists explanation.

ps: What cleanXSS does, is looking for funny code in a string, sanitizing it. It compares the string with a long list of forbidden words.
Logged

centered

  • Guest
Updating Clean Xss for 1.4?
« Reply #2 on: June 05, 2007, 10:52:29 PM »

Thanks, I removed it from the Startup line

Now codetwist says only use it when needed.  I have it in the following funtions:

Check if unique
Code: [Select]
$sql = "SELECT id FROM ".s('prefix')."articles WHERE seftitle = '".clean(cleanXSS($text))."' AND id != '".$not_id."'";Get id (which the mod there he says use it only if needed)
Code: [Select]
$url = explode("/", clean(cleanXSS($_GET['category'])));Comments
Code: [Select]
if (substr(cleanXSS($r['comment']), 0, 6) === '#code#') {
echo "<div class='admincomments'><p>" .ltrim(cleanXSS($r['comment']), '#code#'). "</p>";
}
else {
echo "<div class='comments $style'><p>" .cleanXSS($r['comment']). "</p>";
}
Contact
Code: [Select]
if (strlen(clean(cleanXSS($_POST['name']))) > 1 AND strlen(clean(cleanXSS($_POST['message']))) > 1 AND audit()) {Search Engine
Code: [Select]
$search_query = clean(cleanXSS($_POST['search_query']));View Categories
Code: [Select]
<p><input type="text" name="seftitle" value="<? if ($_POST['name'] == '') { echo cleanSEF(cleanXSS($_POST['name'])); } else { echo cleanSEF(cleanXSS($_POST['seftitle'])); }; ?>" id="article_sef" class="field" /></p>New Article (is it needed here?)
Code: [Select]
<p><input name="seftitle" id="article_sef" type="text" class="field" value="<? echo cleanSEF(cleanXSS($_SESSION['temp']['seftitle'])); ?>" />
     </p>
Edit Article (same as above?)
Code: [Select]
<p><input type="text" name="seftitle" id="article_sef" class="field" value="<?php echo $_SESSION['temp']['seftitle'] ? cleanSEF(cleanXSS($_SESSION['temp']['seftitle'])) : $r['seftitle']; ?>" /></p>Processing (same as above?)
Code: [Select]
else if (cleancheckSEF(cleanXSS($seftitle)) == "notok")The article and processing functions are the only ones I see that would be questionable, or let me rephrase that, I think might be questionable
« Last Edit: February 27, 2009, 04:44:24 AM by Joost »
Logged