× If you report a bug please specify the joomla and component version.

normal XSS vulnerability? Bug?

5 years 11 months ago #3995 by sakattack
XSS vulnerability? Bug? was created by sakattack
Hello

I was made aware that there is an XSS vulnerability caused by the search function of the component. In order to replicate the issue search for %22%3ETEST%3Cimg%20src=a%20onerror=alert%28document.cookie%29%3E

Can we fix this? Is it indeed an issue?


  • Posts: 42
  • Thank you received:

  • Gender: Unknown
  • Birthdate: Unknown
  • Please Log in or Create an account to join the conversation.

    5 years 11 months ago - 5 years 11 months ago #3996 by bram
    Replied by bram on topic XSS vulnerability? Bug?
    if it is a XSS it is an issue indeed, however I can not reproduce the problem.

    I tried it with J2 and J3 in sef and none sef with the original searchbox-custom module.

    as far as I know the component and the module use 'getVar' which sanitizes the input. By default it removes all html from the input.

    If I manually alter the sanitizer I get the described XSS. That is by changing the joomla core code. I have no idea which setting in joomla would change the behaviour. I tried 'textfilters' but that doesn't trigger the XSS.

    So, what is different an the server where you triggered the XSS?


  • Posts: 1421
  • Thank you received: 234

  • Gender: Unknown
  • Birthdate: Unknown
  • Last edit: 5 years 11 months ago by bram.

    Please Log in or Create an account to join the conversation.

    5 years 11 months ago - 5 years 11 months ago #3997 by sakattack
    Replied by sakattack on topic XSS vulnerability? Bug?
    actually I managed to reproduce it on your demo site as well. On demos.affiliatefeeds.nl/shop/kleding.html search for %22%3ETEST%3Cimg%20src=a%20onerror=alert%28document.cookie%29%3E

    or

    >TEST<img src=a onerror=alert(document.cookie)>

    I am not very familiar with XSS techniques and shit, so I'm not really sure if it is indeed an XSS isuue. However this search does add html on the page and on firefox it does open a popup with the cookie details.

    I imagine if any1 were to send some1 to your site using a link containing such a search, then he would be able to do all kinds of shit on the visitor with your server's blessing.

    I managed to avoid this behavior by changing the components/com_datafeeds/helpers/helpers.php line 161 (joomla 3.4 by the way) from

    foreach ( explode('>',$q) as $v ) {

    to

    str_replace(array('>','<'),'some character combination',$q);
    foreach ( explode('some character combination',$q) as $v ) {

    however I'm not really sure this is ok


  • Posts: 42
  • Thank you received:

  • Gender: Unknown
  • Birthdate: Unknown
  • Last edit: 5 years 11 months ago by sakattack.

    Please Log in or Create an account to join the conversation.

    5 years 11 months ago - 5 years 11 months ago #3998 by sakattack
    Replied by sakattack on topic XSS vulnerability? Bug?
    well, on mmy site i can actually add whatever url parameter in com_datafeeds pages and I can XSS anything. I cannot explain it. I haven't changed anything in the component that could allow for this. I even undid all the changes and the problem persists. I use joomla 3.4.4.

    e.g.

    if i add ?whatever=">TEST<img+src%3Dhttps%3A%2F%2Fwww.webmasterworld.com%2Fimages%2Flogo.png>

    then the resulting page has the webmasterworld logo embedded

    So it is not a search function problem, something else is at play here. And it is only happening in com_datafeeds pages


  • Posts: 42
  • Thank you received:

  • Gender: Unknown
  • Birthdate: Unknown
  • Last edit: 5 years 11 months ago by sakattack.

    Please Log in or Create an account to join the conversation.

    5 years 11 months ago - 5 years 11 months ago #3999 by sakattack
    Replied by sakattack on topic XSS vulnerability? Bug?
    ok i found the issue.

    I've been using your sort code from this post

    affiliatefeeds.nl/pro-features/263-addin...e-items-display.html

    which I had changed in order to get the query string as well, and I was echoing it without cleaning it first. I fixed it with htmlentities


  • Posts: 42
  • Thank you received:

  • Gender: Unknown
  • Birthdate: Unknown
  • Last edit: 5 years 11 months ago by sakattack.

    Please Log in or Create an account to join the conversation.

    5 years 11 months ago #4000 by bram
    Replied by bram on topic XSS vulnerability? Bug?
    if you use getVar to get the value from the query it should be sanitized.


    how about the demo site, I still can not reproduce the problem on

    demos.affiliatefeeds.nl/shop/kleding/?q=...ocument.cookie%29%3E


  • Posts: 1421
  • Thank you received: 234

  • Gender: Unknown
  • Birthdate: Unknown
  • Please Log in or Create an account to join the conversation.

    Time to create page: 0.122 seconds