- Posts: 42
- Thank you received: 0
If you report a bug please specify the joomla and component version.
XSS vulnerability? Bug?
7 years 11 months ago #3995
by sakattack
XSS vulnerability? Bug? was created by sakattack
Hello
I was made aware that there is an XSS vulnerability caused by the search function of the component. In order to replicate the issue search for %22%3ETEST%3Cimg%20src=a%20onerror=alert%28document.cookie%29%3E
Can we fix this? Is it indeed an issue?
I was made aware that there is an XSS vulnerability caused by the search function of the component. In order to replicate the issue search for %22%3ETEST%3Cimg%20src=a%20onerror=alert%28document.cookie%29%3E
Can we fix this? Is it indeed an issue?
Please Log in or Create an account to join the conversation.
7 years 11 months ago - 7 years 11 months ago #3996
by bram
Replied by bram on topic XSS vulnerability? Bug?
if it is a XSS it is an issue indeed, however I can not reproduce the problem.
I tried it with J2 and J3 in sef and none sef with the original searchbox-custom module.
as far as I know the component and the module use 'getVar' which sanitizes the input. By default it removes all html from the input.
If I manually alter the sanitizer I get the described XSS. That is by changing the joomla core code. I have no idea which setting in joomla would change the behaviour. I tried 'textfilters' but that doesn't trigger the XSS.
So, what is different an the server where you triggered the XSS?
I tried it with J2 and J3 in sef and none sef with the original searchbox-custom module.
as far as I know the component and the module use 'getVar' which sanitizes the input. By default it removes all html from the input.
If I manually alter the sanitizer I get the described XSS. That is by changing the joomla core code. I have no idea which setting in joomla would change the behaviour. I tried 'textfilters' but that doesn't trigger the XSS.
So, what is different an the server where you triggered the XSS?
Last edit: 7 years 11 months ago by bram.
Please Log in or Create an account to join the conversation.
7 years 11 months ago - 7 years 11 months ago #3997
by sakattack
Replied by sakattack on topic XSS vulnerability? Bug?
actually I managed to reproduce it on your demo site as well. On
demos.affiliatefeeds.nl/shop/kleding.html
search for %22%3ETEST%3Cimg%20src=a%20onerror=alert%28document.cookie%29%3E
or
>TEST<img src=a onerror=alert(document.cookie)>
I am not very familiar with XSS techniques and shit, so I'm not really sure if it is indeed an XSS isuue. However this search does add html on the page and on firefox it does open a popup with the cookie details.
I imagine if any1 were to send some1 to your site using a link containing such a search, then he would be able to do all kinds of shit on the visitor with your server's blessing.
I managed to avoid this behavior by changing the components/com_datafeeds/helpers/helpers.php line 161 (joomla 3.4 by the way) from
foreach ( explode('>',$q) as $v ) {
to
str_replace(array('>','<'),'some character combination',$q);
foreach ( explode('some character combination',$q) as $v ) {
however I'm not really sure this is ok
or
>TEST<img src=a onerror=alert(document.cookie)>
I am not very familiar with XSS techniques and shit, so I'm not really sure if it is indeed an XSS isuue. However this search does add html on the page and on firefox it does open a popup with the cookie details.
I imagine if any1 were to send some1 to your site using a link containing such a search, then he would be able to do all kinds of shit on the visitor with your server's blessing.
I managed to avoid this behavior by changing the components/com_datafeeds/helpers/helpers.php line 161 (joomla 3.4 by the way) from
foreach ( explode('>',$q) as $v ) {
to
str_replace(array('>','<'),'some character combination',$q);
foreach ( explode('some character combination',$q) as $v ) {
however I'm not really sure this is ok
Last edit: 7 years 11 months ago by sakattack.
Please Log in or Create an account to join the conversation.
7 years 11 months ago - 7 years 11 months ago #3998
by sakattack
Replied by sakattack on topic XSS vulnerability? Bug?
well, on mmy site i can actually add whatever url parameter in com_datafeeds pages and I can XSS anything. I cannot explain it. I haven't changed anything in the component that could allow for this. I even undid all the changes and the problem persists. I use joomla 3.4.4.
e.g.
if i add ?whatever=">TEST<img+src%3Dhttps%3A%2F%2Fwww.webmasterworld.com%2Fimages%2Flogo.png>
then the resulting page has the webmasterworld logo embedded
So it is not a search function problem, something else is at play here. And it is only happening in com_datafeeds pages
e.g.
if i add ?whatever=">TEST<img+src%3Dhttps%3A%2F%2Fwww.webmasterworld.com%2Fimages%2Flogo.png>
then the resulting page has the webmasterworld logo embedded
So it is not a search function problem, something else is at play here. And it is only happening in com_datafeeds pages
Last edit: 7 years 11 months ago by sakattack.
Please Log in or Create an account to join the conversation.
7 years 11 months ago - 7 years 11 months ago #3999
by sakattack
Replied by sakattack on topic XSS vulnerability? Bug?
ok i found the issue.
I've been using your sort code from this post
affiliatefeeds.nl/pro-features/263-addin...e-items-display.html
which I had changed in order to get the query string as well, and I was echoing it without cleaning it first. I fixed it with htmlentities
I've been using your sort code from this post
affiliatefeeds.nl/pro-features/263-addin...e-items-display.html
which I had changed in order to get the query string as well, and I was echoing it without cleaning it first. I fixed it with htmlentities
Last edit: 7 years 11 months ago by sakattack.
Please Log in or Create an account to join the conversation.
7 years 11 months ago #4000
by bram
Replied by bram on topic XSS vulnerability? Bug?
if you use getVar to get the value from the query it should be sanitized.
how about the demo site, I still can not reproduce the problem on
demos.affiliatefeeds.nl/shop/kleding/?q=...ocument.cookie%29%3E
how about the demo site, I still can not reproduce the problem on
demos.affiliatefeeds.nl/shop/kleding/?q=...ocument.cookie%29%3E
Please Log in or Create an account to join the conversation.
Time to create page: 0.275 seconds