Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: XSS Vulnerability in Comment posting  (Read 1806 times)

kksid

  • Newbie
  • *
  • Karma: 0
  • Posts: 4
XSS Vulnerability in Comment posting
« on: May 30, 2010, 05:13:00 PM »

Hi,

I am using sNews 1.7 (Updated: May 12, 2010) on WAMP.
Posting a comment with 'Website URL:' set to strings crafted like those mentioned below,
allows injection of arbitrary code into the web page.

Attack 1:
Code: [Select]
http://www.xyz" onclick="alert('XSS')" style="src=''
This gets rendered as following in the HTML emitted by sNews
Code: [Select]
<a href="http://www.xyz" onclick="alert('XSS')" style="src=''" title="http://www.xyz" onclick="alert('XSS')" style="src=''" rel="nofollow">
tallu</a>

Clicking the link in both FF2 and IE6 will pop up a message box.

Attack 2:
Code: [Select]
http://www.xyz" STYLE="background-image: url(javascript:alert('XSS'))
will result in an output of
Code: [Select]
<a href="http://www.xyz" STYLE="background-image: url(javascript:alert('XSS'))" title="http://www.xyz" STYLE="background-image: url(javascript:alert('XSS'))" rel="nofollow">
jallu</a>

This causes the vector to fire on page load in IE.

These are only the sample attacks I used for testing. As I mentioned, sNews passes on literally unchanged anything added after the end quote in URL. and even more serious attacks can easily be crafted exploiting this loophole.

Please look into the matter.
Thanks.
Logged

nukpana

  • Hero Member
  • *****
  • Karma: 71
  • Posts: 663
Re: XSS Vulnerability in Comment posting
« Reply #1 on: May 31, 2010, 11:56:33 AM »

Yup, got it too...

Can you test this on a test install? It is a *VERY QUICK & NOT FULLY TESTED* fix and works against the examples you have shown here on my local install prior to the April update.

Find the first line and add the second - it will be in Function Comments.
Code: [Select]
$url = (strlen($url) > 8 && strpos($url, '?') === false) ? clean(cleanXSS($url)) : null;
$url = htmlentities($url, ENT_QUOTES, s('charset'));
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: XSS Vulnerability in Comment posting
« Reply #2 on: May 31, 2010, 12:55:42 PM »

A quick test shows that the suggested fix cleans out the url. Only tested the "attack 2" code, and the test installation is set to have comments moderated (and only tested with Safari and FF), fwiw.
Logged

mdj

  • Full Member
  • ***
  • Karma: 44
  • Posts: 226
    • mdj.us
Re: XSS Vulnerability in Comment posting
« Reply #3 on: June 04, 2010, 03:17:40 PM »

Hi guys,

I picked up on this a while back, I fixed mine differently however. In my opinion, there is no reason to even allow a url to be structured as such, and simply encoding it just protects the comment viewer, the admin would likely still receive the XSS attack if he attempts to edit the comment.

This is the same with the name field, who has quotes in their name? No one, so don't even allow it from the start.

Here my fixes;

For the name, find
Code: [Select]
$name = trim($_POST['name']);
and add this BELOW it
Code: [Select]
$name = preg_replace('/[^a-zA-Z0-9_\s-]/', '', $name);
if (empty($name)) { $name = 'Anonymous'; }

That will strip any non-alphanumeric characters, while still allowing spaces, underscores and hyphens. If you want to allow non-English characters, you will need to add them to the regex or convert them to ASCII.

to sanitize the url, find
Code: [Select]
$url = trim($_POST['url']);
then ADD this BELOW it
Code: [Select]
$url = preg_replace('/[^a-zA-Z0-9_:\/\.-]/', '', $url);
That will strip any characters not allowed in a URL, including query strings, at least until they start allowing non-English character urls
« Last Edit: June 04, 2010, 03:44:27 PM by mdj »
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: XSS Vulnerability in Comment posting
« Reply #4 on: June 16, 2010, 09:13:34 PM »

Thanks Matt.
Your patch is now included in the Official Download as of June 16, 2010.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

sibas

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 451
    • www.simply4all.net
Re: XSS Vulnerability in Comment posting
« Reply #5 on: March 07, 2012, 10:30:24 AM »

Hello
After including this patch is not possible to write names in other languages
e.g. πέτρος, Питер, սպառվել, return Anonymous

I change it to
Code: [Select]
//$name = preg_replace('/[^a-zA-Z0-9_\s-]/', '', $name); // Patch #15 - 1.7.0
$name = preg_replace('/[^\p{L}\p{N}]/u', '', $name);

where match all characters that are not letters/numbers and will treat Unicode letters appropriately

can someone confirm!
Logged

mosh

  • Hero Member
  • *****
  • Karma: 77
  • Posts: 510
  • Awesome day :)
    • cms-zen
Re: XSS Vulnerability in Comment posting
« Reply #6 on: March 07, 2012, 12:24:40 PM »

Yes, and a good fix sibas,
karma+ for you.

blankspace

  • Newbie
  • *
  • Karma: 3
  • Posts: 22
Re: XSS Vulnerability in Comment posting
« Reply #7 on: July 10, 2012, 04:25:27 PM »

Hello
After including this patch is not possible to write names in other languages
e.g. πέτρος, Питер, սպառվել, return Anonymous

I change it to
Code: [Select]
//$name = preg_replace('/[^a-zA-Z0-9_\s-]/', '', $name); // Patch #15 - 1.7.0
$name = preg_replace('/[^\p{L}\p{N}]/u', '', $name);

where match all characters that are not letters/numbers and will treat Unicode letters appropriately

can someone confirm!


Hello sibas! I try this change and strange effect happen. I have set comments to be approved and I now notice if person making comment writes name like "John Doe", in Edit comment it comes up "Johndoe"! :-/
(I think it would be same if comments were not set to approve before publishing).

How to fix this?

Ciao,
/Pax
Logged
All your internets are belong to us

infomix

  • Newbie
  • *
  • Karma: 7
  • Posts: 19
Re: XSS Vulnerability in Comment posting
« Reply #8 on: July 11, 2012, 02:13:28 PM »

Try this: $name = preg_replace('/[^\p{L}\p{N}_\s-]/u', '', $name);

_  = underline
\s = space
-  = dash


Now the following names will be accepted:

John_Doe
John Doe
John-Doe
« Last Edit: July 11, 2012, 02:15:01 PM by infomix »
Logged

blankspace

  • Newbie
  • *
  • Karma: 3
  • Posts: 22
Re: XSS Vulnerability in Comment posting
« Reply #9 on: July 12, 2012, 01:08:10 AM »

Works nice, thank you infomix!

Ciao,
/Pax
Logged
All your internets are belong to us