Yii framework's CmsInput extension versions 1.2 and prior suffer from an improper cross site scripting sanitation implementation.
ca8da68b1474bc4281b1f32954bc5774467cd5f06b1ea17ad128a0eaed3567b7
[+] Yii framework CmsInput extension [1] improper XSS sanitation
[+] Discovered by: Jos Wetzels
[+] Affects: Yii framework CmsInput extension <= version 1.2
Yii framework's CmsInput extension versions 1.2 and prior suffer from
an improper XSS sanitation implementation, which has now been resolved
in cooperation with the author [2], introducing XSS vulnerabilities in
web applications developed by third-party framework users [3].
CmsInput is an extension of the Yii framework designed to wrap
HtmlPurifier and the Codeigniter Security class in a single component
for user-input sanitation. The problem resides in CmsInput's default
cleaning method stripClean in CmsInput.php:
public function stripClean($str)
{
return $this->xssClean($this->stripTags($str));
}
What happens is that stripTags is called on the user-supplied input
before xssClean is called. stripTags is designed to eliminate all HTML
and PHP tags from the user-supplied input by wrapping PHP's strip_tags
[4] function. xssClean is a wrapper for Codeigniter's xss_clean [5]
function, which aims to strip user-supplied input of all suspicious
XSS-related input. Within xssClean, the user-supplied input is
URL-decoded before further processing:
$str = rawurldecode($str);
The problem arises when stripClean is used to sanitize a URL-encoded
user-supplied string, which is then later used under the assumption it
was stripped of all possible XSS vectors. Since stripTags simply
eliminates all raw HTML
and PHP tags and a URL-encoded string contains none, the string gets
passed to xssClean in unchanged form, where it will be URL-decoded
into a string containing HTML tags, thus allowing injection of (a
limited subset of) HTML elements in uninteded locations.
Proof of Concept:
stripClean("%3Cimg%20src%20%3D%20%22http%3A%2F%2Ftest.com%2Fcsrf.php%22%3E")
= '<img src = "https://test.com/csrf.php">'
[*] Mitigation:
Upgrade to CmsInput version 1.3 [2]
[*] References:
1. https://www.yiiframework.com/extension/input/
2. https://www.yiiframework.com/extension/input/#hh7
3. Eg.: https://www.humhub.org/
4. https://php.net/manual/en/function.strip-tags.php
5. https://ellislab.com/codeigniter/user-guide/libraries/security.html