XSS vulnerability? Bug?

Hello

I was made aware that there is an XSS vulnerability caused by the search function of the component. In order to replicate the issue search for %22%3ETEST%3Cimg%20src=a%20onerror=alert%28document.cookie%29%3E

Can we fix this? Is it indeed an issue?

if it is a XSS it is an issue indeed, however I can not reproduce the problem.

I tried it with J2 and J3 in sef and none sef with the original searchbox-custom module.

as far as I know the component and the module use 'getVar' which sanitizes the input. By default it removes all html from the input.

If I manually alter the sanitizer I get the described XSS. That is by changing the joomla core code. I have no idea which setting in joomla would change the behaviour. I tried 'textfilters' but that doesn't trigger the XSS.

So, what is different an the server where you triggered the XSS?

actually I managed to reproduce it on your demo site as well. On demos.affiliatefeeds.nl/shop/kleding.html search for %22%3ETEST%3Cimg%20src=a%20onerror=alert%28document.cookie%29%3E

or

>TEST<img src=a onerror=alert(document.cookie)>

I am not very familiar with XSS techniques and shit, so I'm not really sure if it is indeed an XSS isuue. However this search does add html on the page and on firefox it does open a popup with the cookie details.

I imagine if any1 were to send some1 to your site using a link containing such a search, then he would be able to do all kinds of shit on the visitor with your server's blessing.

I managed to avoid this behavior by changing the components/com_datafeeds/helpers/helpers.php line 161 (joomla 3.4 by the way) from

foreach ( explode('>',$q) as $v ) {

to

str_replace(array('>','<'),'some character combination',$q);
foreach ( explode('some character combination',$q) as $v ) {

however I'm not really sure this is ok

well, on mmy site i can actually add whatever url parameter in com_datafeeds pages and I can XSS anything. I cannot explain it. I haven't changed anything in the component that could allow for this. I even undid all the changes and the problem persists. I use joomla 3.4.4.

e.g.

if i add ?whatever=">TEST<img+src%3Dhttps%3A%2F%2Fwww.webmasterworld.com%2Fimages%2Flogo.png>

then the resulting page has the webmasterworld logo embedded

So it is not a search function problem, something else is at play here. And it is only happening in com_datafeeds pages

ok i found the issue.

I've been using your sort code from this post

affiliatefeeds.nl/pro-features/263-addin...e-items-display.html

which I had changed in order to get the query string as well, and I was echoing it without cleaning it first. I fixed it with htmlentities

if you use getVar to get the value from the query it should be sanitized.


how about the demo site, I still can not reproduce the problem on

demos.affiliatefeeds.nl/shop/kleding/?q=...ocument.cookie%29%3E