Yii Framwork CmsInput Improper XSS Filter

2014.12.04
Credit: Jos Wetzels
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

[+] Yii framework CmsInput extension [1] improper XSS sanitation [+] Discovered by: Jos Wetzels [+] Affects: Yii framework CmsInput extension <= version 1.2 Yii framework's CmsInput extension versions 1.2 and prior suffer from an improper XSS sanitation implementation, which has now been resolved in cooperation with the author [2], introducing XSS vulnerabilities in web applications developed by third-party framework users [3]. CmsInput is an extension of the Yii framework designed to wrap HtmlPurifier and the Codeigniter Security class in a single component for user-input sanitation. The problem resides in CmsInput's default cleaning method stripClean in CmsInput.php: public function stripClean($str) { return $this->xssClean($this->stripTags($str)); } What happens is that stripTags is called on the user-supplied input before xssClean is called. stripTags is designed to eliminate all HTML and PHP tags from the user-supplied input by wrapping PHP's strip_tags [4] function. xssClean is a wrapper for Codeigniter's xss_clean [5] function, which aims to strip user-supplied input of all suspicious XSS-related input. Within xssClean, the user-supplied input is URL-decoded before further processing: $str = rawurldecode($str); The problem arises when stripClean is used to sanitize a URL-encoded user-supplied string, which is then later used under the assumption it was stripped of all possible XSS vectors. Since stripTags simply eliminates all raw HTML and PHP tags and a URL-encoded string contains none, the string gets passed to xssClean in unchanged form, where it will be URL-decoded into a string containing HTML tags, thus allowing injection of (a limited subset of) HTML elements in uninteded locations. Proof of Concept: stripClean("%3Cimg%20src%20%3D%20%22http%3A%2F%2Ftest.com%2Fcsrf.php%22%3E") = '<img src = "http://test.com/csrf.php">' [*] Mitigation: Upgrade to CmsInput version 1.3 [2] [*] References: 1. http://www.yiiframework.com/extension/input/ 2. http://www.yiiframework.com/extension/input/#hh7 3. Eg.: https://www.humhub.org/ 4. http://php.net/manual/en/function.strip-tags.php 5. https://ellislab.com/codeigniter/user-guide/libraries/security.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top