4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
August 15, 2018, 09:08:19 PM

Login with username, password and session length
Search:     Advanced search
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Issues / Ausgaben
| |-+  Feedback & Suggestions (Moderator: Acidgod)
| | |-+  1.7.11 Security fix for XSS issue in global.php
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Print
Author Topic: 1.7.11 Security fix for XSS issue in global.php  (Read 6262 times)
jakovits
Pre-Newbie

Offline Offline

Posts: 1

Thank You
-Given: 0
-Receive: 0


View Profile
« on: June 27, 2013, 06:56:16 PM »

Hello

This is an unoffical security report and a fix for a XSS issue with unclosed html tags in global.php file in 4images gallery version 1.7.11.

Currently the clean_string() function in global.php removes unwanted tags, however it is unable to remove tags which are not closed properly.

For example, if you add the following line to an image comment field:

1
<script src="http://ha.ckers.org/xss.js?"

it will create a javascript popup every time the image description is viewed. This vector can be used to enable any XSS attack.

To fix this issue, in file global.php, before line 204, which is:

1
 $string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

add two lines:

1
2
$string preg_replace("/<([^<>]*)(?=<|$)/""&lt$1",  $string); # replace unclosed '<'
$string preg_replace("/(^|(?<=>))([^<>]*)>/""$1&gt",  $string); # replace unopened '>'

As a result, any unclosed < or > characters will be replaced respectively with either &lt or &gt. Properly closed tags will remain as they were.


Jakovits
« Last Edit: June 27, 2013, 07:21:04 PM by jakovits » Logged
kai
Administrator
Addicted member
*****
Offline Offline

Posts: 1405

Thank You
-Given: 66
-Receive: 199


View Profile WWW
« Reply #1 on: July 15, 2013, 06:02:20 PM »

or

find in "global.php"
  
1
$string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

and replace with
  
1
$string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*(>|$)#i',"",$string);

Follow members gave a thank to your post:
Jan-Lukas

For this post, 1 member gave a thank you!
« Last Edit: July 16, 2013, 06:17:01 PM by kai » Logged


Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.065 seconds with 23 queries.