4images Issues / Ausgaben > Feedback & Suggestions

1.7.11 Security fix for XSS issue in global.php

(1/1)

jakovits:
Hello

This is an unoffical security report and a fix for a XSS issue with unclosed html tags in global.php file in 4images gallery version 1.7.11.

Currently the clean_string() function in global.php removes unwanted tags, however it is unable to remove tags which are not closed properly.

For example, if you add the following line to an image comment field:


--- Code: ---<script src="http://ha.ckers.org/xss.js?"
--- End code ---

it will create a javascript popup every time the image description is viewed. This vector can be used to enable any XSS attack.

To fix this issue, in file global.php, before line 204, which is:

 $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

add two lines:

$string = preg_replace("/<([^<>]*)(?=<|$)/", "&lt$1",  $string); # replace unclosed '<'
$string = preg_replace("/(^|(?<=>))([^<>]*)>/", "$1&gt",  $string); # replace unopened '>'

As a result, any unclosed < or > characters will be replaced respectively with either &lt or &gt. Properly closed tags will remain as they were.


Jakovits

kai:
or

find in "global.php"
   $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);

and replace with
   $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*(>|$)#i',"",$string);

Navigation

[0] Message Index