sNews Forum

Previous sNews versions => sNews 1.4 Final => sNews help/problems solving => Topic started by: centered on June 05, 2007, 06:23:24 pm

Title: Updating Clean Xss for 1.4?
Post by: centered on June 05, 2007, 06:23:24 pm
Per this thread:
i believe i read somewhere that 1.4 was vulnerable to XSS cross site attacks due to the search field not being sanitized
I have some clients who are on the 1.4 version of sNews (text-db version).  Now seeing that 1.4 has a security flaw with Xss, could I update the XSS function with 1.6?  I have done so on a test install and changed any strings that had a clean in it, to mimic 1.6's clean strings, like so, found in 1.4's startup:

if (md5(clean(cleanXSS($_POST['Username']))) == s('username')

Would this be the correct way to go with this?  So far everything runs normally with the clean XSS' in place

Also for the main function calls, should I do the same?
for rinstance:
function cleanSEF($string) {

If I change it to:
function cleanSEF(cleanXSS($string)) {
I get errors

Now, since I have it implemented on a test version, how can I test this out to make sure it is working correctly?

And ultimatly what does this function do?

EDIT so far did a search testng XSS and it seems to be working good, I guess.  Nothing is passing through. but I will wait to hear from ou guys about this before I do anything
Title: Updating Clean Xss for 1.4?
Post by: Joost on June 05, 2007, 07:22:30 pm
I am no expert on this, but wherever you see 'function' written, there is a function declaration. It is not doing anything yet, it is only telling what it will do, when it is called for. So no need to put it there.
Using cleanXSS where   clean is used, might be a good thing to do. However, where a string is being encrypted (md5), there is no need for that. The string will be harmless after being encrypted.
So  (md5(clean(cleanXSS($_POST['Username']))) is not needed (in // STARTUP).
md5($_POST['Username']) will do.
I repeat  I am no expert (a copy/paste expert maybe ;) ) , so read codetwists ( explanation.

ps: What cleanXSS does, is looking for funny code in a string, sanitizing it. It compares the string with a long list of forbidden words.
Title: Updating Clean Xss for 1.4?
Post by: centered on June 05, 2007, 10:52:29 pm
Thanks, I removed it from the Startup line

Now codetwist says only use it when needed.  I have it in the following funtions:

Check if unique
Code: [Select]
$sql = "SELECT id FROM ".s('prefix')."articles WHERE seftitle = '".clean(cleanXSS($text))."' AND id != '".$not_id."'";Get id (which the mod there he says use it only if needed)
Code: [Select]
$url = explode("/", clean(cleanXSS($_GET['category'])));Comments
Code: [Select]
if (substr(cleanXSS($r['comment']), 0, 6) === '#code#') {
echo "<div class='admincomments'><p>" .ltrim(cleanXSS($r['comment']), '#code#'). "</p>";
else {
echo "<div class='comments $style'><p>" .cleanXSS($r['comment']). "</p>";
Code: [Select]
if (strlen(clean(cleanXSS($_POST['name']))) > 1 AND strlen(clean(cleanXSS($_POST['message']))) > 1 AND audit()) {Search Engine
Code: [Select]
$search_query = clean(cleanXSS($_POST['search_query']));View Categories
Code: [Select]
<p><input type="text" name="seftitle" value="<? if ($_POST['name'] == '') { echo cleanSEF(cleanXSS($_POST['name'])); } else { echo cleanSEF(cleanXSS($_POST['seftitle'])); }; ?>" id="article_sef" class="field" /></p>New Article (is it needed here?)
Code: [Select]
<p><input name="seftitle" id="article_sef" type="text" class="field" value="<? echo cleanSEF(cleanXSS($_SESSION['temp']['seftitle'])); ?>" />
Edit Article (same as above?)
Code: [Select]
<p><input type="text" name="seftitle" id="article_sef" class="field" value="<?php echo $_SESSION['temp']['seftitle'] ? cleanSEF(cleanXSS($_SESSION['temp']['seftitle'])) : $r['seftitle']; ?>" /></p>Processing (same as above?)
Code: [Select]
else if (cleancheckSEF(cleanXSS($seftitle)) == "notok")The article and processing functions are the only ones I see that would be questionable, or let me rephrase that, I think might be questionable