Found a possible XSS vulnerability

[naez]

PHPBB only stops javascript by changing colons to their html entity value (:)

The problem is that javascript is a tricky thing, and can still function even when it is completely garbled.

For instance: Javascript:alert('XSS'); , will still make a popup window.

I haven't found a way to exploit this yet, but that doesn't mean it is impossible. Now or in the future.

I suggest adding a small function to the bbcode/output class that does the following:

Code: Select all

function xss_stop($str)
{
    $pattern = "/:/";
    $replacement = "<b></b>&#58;";
    $string = preg_replace($pattern,$replacement,$str);
    return $string;
}  

So now our source goes from

Code: Select all

javascript:alert('xss');

to

javascript<b></b>&#58;alert('xss');

This is how "other" PHP boards tackle the issue, and it does not affect legitimate output in anyway.

[ElbertF]

"javascript:alert('foo');" doesn't do much unless it's between script-tags or inside an attribute, URL's are checked with regex.

Note on the side, perhaps you should post things like these to the security checker, in stead of posting it publicly.

[Kellanved]

The trick is not letting it escape the quotation. Considering the number of browsers and scripting languages, a solution filtering just colons wouldn't be feasible. It would also remove XHTML compliance and cause problems with urls, which are actually allowed to contain colons.

Thank you for your considerations; should you find an instance where a string in an attribute can escape from its containing quotes, please use the security tracker. However, we took great care in phpBB3 to avoid getting endangered by attacks like that. As to "other" php boards. Yawn. That's not a solution at all, but sugar-coating poor design (BTW: which other board does this).

The proper way is to ensure that there's a protocol in front. *:* urls won't render if there's a "http://" in front of them.