Re: BBCode XSS in XOOPS CMS

• Previous message: jelmer: "Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow"
• In reply to: Frog Man: "[VulnWatch] BBCode XSS in XOOPS CMS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

confirmed on xoops 1.3.10 with a pure module.textsanitizer.php .
xoops' 1.3.x users should modify their class/module.textsanitizer.php .
raw patch:

----------------
[.....]
 function xoopsCodeDecode($text){
  $patterns = array();
  $replacements = array();
  $patterns[] = "/\[url=(['\"]?)(http[s]?:\/\/[^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='\\2' target='_blank'>\\3</a>";
  $patterns[] = "/\[url=(['\"]?)([^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='http://\\2' target='_blank'>\\3</a>";

  //xss bug fix :°D

  $patterns[] = "/\[color=(['\"]?)([a-zA-Z0-9]*)\\1](.*)\[\/color\]/sU";
  $replacements[] = '<span style="color: #\\2;">\\3</span>';
  $patterns[] = "/\[size=(['\"]?)([a-z0-9-]*)\\1](.*)\[\/size\]/sU";
  $replacements[] = '<span style="font-size: \\2;">\\3</span>';
  $patterns[] = "/\[font=(['\"]?)([^;<>\*\(\)\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = '<span style="font-family: \\2;">\\3</span>';

  /*
  $patterns[] = "/\[color=(['\"]?)([^\"']*)\\1](.*)\[\/color\]/sU";
  $replacements[] = "<span style='color: #\\2;'>\\3</span>";
  $patterns[] = "/\[size=(['\"]?)([^\"']*)\\1](.*)\[\/size\]/sU";
  $replacements[] = "<span style='font-size: \\2;'>\\3</span>";
  $patterns[] = "/\[font=(['\"]?)([^\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = "<span style='font-family: \\2;'>\\3</span>";
  */

  $patterns[] = "/\[email]([^;<>\*\(\)\"']*)\[\/email\]/sU";
  $replacements[] = '<a href="mailto:\\1">\\1</a>';

  /*
  $patterns[] = "/\[email]([^\"']*)\[\/email\]/sU";
  $replacements[] = "<a href='mailto:\\1'>\\1</a>";
  */

  //end xss fix

[...]
---rest of file

kain
kuht.it wizard

----- Original Message ----- 
From: "Frog Man" <leseulfrogat_private>
To: <bugtraqat_private>; <vulnwatchat_private>
Sent: Wednesday, August 13, 2003 1:32 PM
Subject: BBCode XSS in XOOPS CMS


> Informations :
> °°°°°°°°°°°°°
>
> Language : PHP
> Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
> Safe Version : 2.0.3
> Website : http://www.xoops.org
> Problem : BBcode XSS

[snip]

> function url() from style tag (css) and vbscript are used here to redirect
> to the url "abcdef" + the cookie with the bbcode tags [color] [size] and
> [font].
> Another style function that could be used is expression().
>
> Patch :
> °°°°°°
> Just download the las version of XOOPS (2.0.3).

• Next message: Tim van Erven: "Re: Analysis/decompilation of main() of the msblast worm"
• Previous message: jelmer: "Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow"
• In reply to: Frog Man: "[VulnWatch] BBCode XSS in XOOPS CMS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 10:27:55 PDT