what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Yii Framwork CmsInput Improper XSS Filter

Yii Framwork CmsInput Improper XSS Filter
Posted Dec 3, 2014
Authored by Jos Wetzels

Yii framework's CmsInput extension versions 1.2 and prior suffer from an improper cross site scripting sanitation implementation.

tags | exploit, xss
SHA-256 | ca8da68b1474bc4281b1f32954bc5774467cd5f06b1ea17ad128a0eaed3567b7

Yii Framwork CmsInput Improper XSS Filter

Change Mirror Download
[+] Yii framework CmsInput extension [1] improper XSS sanitation
[+] Discovered by: Jos Wetzels
[+] Affects: Yii framework CmsInput extension <= version 1.2

Yii framework's CmsInput extension versions 1.2 and prior suffer from
an improper XSS sanitation implementation, which has now been resolved
in cooperation with the author [2], introducing XSS vulnerabilities in
web applications developed by third-party framework users [3].
CmsInput is an extension of the Yii framework designed to wrap
HtmlPurifier and the Codeigniter Security class in a single component
for user-input sanitation. The problem resides in CmsInput's default
cleaning method stripClean in CmsInput.php:

public function stripClean($str)
{
return $this->xssClean($this->stripTags($str));
}

What happens is that stripTags is called on the user-supplied input
before xssClean is called. stripTags is designed to eliminate all HTML
and PHP tags from the user-supplied input by wrapping PHP's strip_tags
[4] function. xssClean is a wrapper for Codeigniter's xss_clean [5]
function, which aims to strip user-supplied input of all suspicious
XSS-related input. Within xssClean, the user-supplied input is
URL-decoded before further processing:

$str = rawurldecode($str);

The problem arises when stripClean is used to sanitize a URL-encoded
user-supplied string, which is then later used under the assumption it
was stripped of all possible XSS vectors. Since stripTags simply
eliminates all raw HTML
and PHP tags and a URL-encoded string contains none, the string gets
passed to xssClean in unchanged form, where it will be URL-decoded
into a string containing HTML tags, thus allowing injection of (a
limited subset of) HTML elements in uninteded locations.

Proof of Concept:

stripClean("%3Cimg%20src%20%3D%20%22http%3A%2F%2Ftest.com%2Fcsrf.php%22%3E")
= '<img src = "https://test.com/csrf.php">'

[*] Mitigation:
Upgrade to CmsInput version 1.3 [2]

[*] References:

1. https://www.yiiframework.com/extension/input/
2. https://www.yiiframework.com/extension/input/#hh7
3. Eg.: https://www.humhub.org/
4. https://php.net/manual/en/function.strip-tags.php
5. https://ellislab.com/codeigniter/user-guide/libraries/security.html


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close