4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
February 22, 2019, 04:48:56 AM

Login with username, password and session length
Search:     Advanced search
Check the new Tutorial subforum with helpfull guides and tutorials for modifications and tweaks.
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
+  4images Forum & Community
|-+  4images Issues / Ausgaben
| |-+  Feedback & Suggestions (Moderator: Acidgod)
| | |-+  1.7.11 Security fix for XSS issue in global.php
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Print
Author Topic: 1.7.11 Security fix for XSS issue in global.php  (Read 6417 times)

Offline Offline

Posts: 1

Thank You
-Given: 0
-Receive: 0

View Profile
« on: June 27, 2013, 06:56:16 PM »


This is an unoffical security report and a fix for a XSS issue with unclosed html tags in global.php file in 4images gallery version 1.7.11.

Currently the clean_string() function in global.php removes unwanted tags, however it is unable to remove tags which are not closed properly.

For example, if you add the following line to an image comment field:

<script src="http://ha.ckers.org/xss.js?"

it will create a javascript popup every time the image description is viewed. This vector can be used to enable any XSS attack.

To fix this issue, in file global.php, before line 204, which is:

 $string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

add two lines:

$string preg_replace("/<([^<>]*)(?=<|$)/""&lt$1",  $string); # replace unclosed '<'
$string preg_replace("/(^|(?<=>))([^<>]*)>/""$1&gt",  $string); # replace unopened '>'

As a result, any unclosed < or > characters will be replaced respectively with either &lt or &gt. Properly closed tags will remain as they were.

« Last Edit: June 27, 2013, 07:21:04 PM by jakovits » Logged
Addicted member
Offline Offline

Posts: 1405

Thank You
-Given: 66
-Receive: 205

View Profile WWW
« Reply #1 on: July 15, 2013, 06:02:20 PM »


find in "global.php"
$string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

and replace with
$string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*(>|$)#i',"",$string);

Follow members gave a thank to your post:

For this post, 1 member gave a thank you!
« Last Edit: July 16, 2013, 06:17:01 PM by kai » Logged

Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.057 seconds with 22 queries.
Post your comments here