Found a possible XSS vulnerability

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Locked
naez
Registered User
Posts: 1
Joined: Mon Mar 31, 2008 3:34 pm

Found a possible XSS vulnerability

Post by naez » Mon Mar 31, 2008 3:48 pm

PHPBB only stops javascript by changing colons to their html entity value (:)

The problem is that javascript is a tricky thing, and can still function even when it is completely garbled.

For instance: Javascript:alert('XSS'); , will still make a popup window.

I haven't found a way to exploit this yet, but that doesn't mean it is impossible. Now or in the future.

I suggest adding a small function to the bbcode/output class that does the following:

Code: Select all

function xss_stop($str)
{
    $pattern = "/:/";
    $replacement = "<b></b>&#58;";
    $string = preg_replace($pattern,$replacement,$str);
    return $string;
}  
So now our source goes from

Code: Select all

javascript&#58;alert('xss');

to

javascript<b></b>&#58;alert('xss');
This is how "other" PHP boards tackle the issue, and it does not affect legitimate output in anyway.

User avatar
ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: Found a possible XSS vulnerability

Post by ElbertF » Mon Mar 31, 2008 5:30 pm

"javascript:alert('foo');" doesn't do much unless it's between script-tags or inside an attribute, URL's are checked with regex.

Note on the side, perhaps you should post things like these to the security checker, in stead of posting it publicly.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: Found a possible XSS vulnerability

Post by Kellanved » Mon Mar 31, 2008 11:00 pm

The trick is not letting it escape the quotation. Considering the number of browsers and scripting languages, a solution filtering just colons wouldn't be feasible. It would also remove XHTML compliance and cause problems with urls, which are actually allowed to contain colons.

Thank you for your considerations; should you find an instance where a string in an attribute can escape from its containing quotes, please use the security tracker. However, we took great care in phpBB3 to avoid getting endangered by attacks like that. As to "other" php boards. Yawn. That's not a solution at all, but sugar-coating poor design (BTW: which other board does this).

The proper way is to ensure that there's a protocol in front. *:* urls won't render if there's a "http://" in front of them.
No support via PM.
Trust me, I'm a doctor.

Locked