Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Simple Machines Forum (SMF) XSS issue
From: RSnake <rsnake () shocking com>
Date: Sun, 22 Oct 2006 11:06:21 -0700 (PDT)


I wouldn't rely on that library by itself.  As I emailed Kallahar quite
a while ago about it is still vulnerable to at least one issue:

<IMG
SRC=ja&#&#x78;09;vascrip&#&#x78;09;t:alert(String.fromCharCode(88,83,83));>

This works in IE6.0 and Opera 9.0.  What it is doing is converting HTML
entities into their ASCII equivalent.  By doing that he is changing my
string, "&#&#x78;09;" into "&#x09;" which is a newline, and injected
within the javascript directive it breaks it up.  This is a pretty good
example of why conversion filters can be used against you.

-RSnake
http://ha.ckers.org/
http://sla.ckers.org/

On Sat, 21 Oct 2006, mrapples () gmail com wrote:

Good find on this.

Here is the fix I applied:

Find on line ~85 in Sources/Search.php:

foreach ($temp_params as $i => $data)
{
   @list ($k, $v) = explode('|\'|', $data);
   $context['search_params'][$k] = stripslashes($v);
}


Change to:

foreach ($temp_params as $i => $data)
{
   @list ($k, $v) = explode('|\'|', $data);
   $context['search_params'][$k] = RemoveXSS(stripslashes($v));
}


The RemoveXSS function is taken from the following site:
http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php

I hope that handles all the issue related to this.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault