Bugtraq mailing list archives

Re: BBCode XSS in XOOPS CMS

From: "kain" <masterkain () kuht it>
Date: Thu, 14 Aug 2003 00:02:55 +0200

confirmed on xoops 1.3.10 with a pure module.textsanitizer.php .
xoops' 1.3.x users should modify their class/module.textsanitizer.php .
raw patch:

----------------
[.....]
 function xoopsCodeDecode($text){
  $patterns = array();
  $replacements = array();
  $patterns[] = "/\[url=(['\"]?)(http[s]?:\/\/[^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='\\2' target='_blank'>\\3</a>";
  $patterns[] = "/\[url=(['\"]?)([^\"']*)\\1](.*)\[\/url\]/sU";
  $replacements[] = "<a href='http://\\2&apos; target='_blank'>\\3</a>";

  //xss bug fix :°D

  $patterns[] = "/\[color=(['\"]?)([a-zA-Z0-9]*)\\1](.*)\[\/color\]/sU";
  $replacements[] = '<span style="color: #\\2;">\\3</span>';
  $patterns[] = "/\[size=(['\"]?)([a-z0-9-]*)\\1](.*)\[\/size\]/sU";
  $replacements[] = '<span style="font-size: \\2;">\\3</span>';
  $patterns[] = "/\[font=(['\"]?)([^;<>\*\(\)\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = '<span style="font-family: \\2;">\\3</span>';

  /*
  $patterns[] = "/\[color=(['\"]?)([^\"']*)\\1](.*)\[\/color\]/sU";
  $replacements[] = "<span style='color: #\\2;'>\\3</span>";
  $patterns[] = "/\[size=(['\"]?)([^\"']*)\\1](.*)\[\/size\]/sU";
  $replacements[] = "<span style='font-size: \\2;'>\\3</span>";
  $patterns[] = "/\[font=(['\"]?)([^\"']*)\\1](.*)\[\/font\]/sU";
  $replacements[] = "<span style='font-family: \\2;'>\\3</span>";
  */

  $patterns[] = "/\[email]([^;<>\*\(\)\"']*)\[\/email\]/sU";
  $replacements[] = '<a href="mailto:\\1";>\\1</a>';

  /*
  $patterns[] = "/\[email]([^\"']*)\[\/email\]/sU";
  $replacements[] = "<a href='mailto:\\1&apos;>\\1</a>";
  */

  //end xss fix

[...]
---rest of file

kain
kuht.it wizard

----- Original Message ----- 
From: "Frog Man" <leseulfrog () hotmail com>
To: <bugtraq () securityfocus com>; <vulnwatch () vulnwatch org>
Sent: Wednesday, August 13, 2003 1:32 PM
Subject: BBCode XSS in XOOPS CMS

Informations :
°°°°°°°°°°°°°

Language : PHP
Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
Safe Version : 2.0.3
Website : http://www.xoops.org
Problem : BBcode XSS


[snip]

function url() from style tag (css) and vbscript are used here to redirect
to the url "abcdef" + the cookie with the bbcode tags [color] [size] and
[font].
Another style function that could be used is expression().

Patch :
°°°°°°
Just download the las version of XOOPS (2.0.3).

Current thread:

BBCode XSS in XOOPS CMS Frog Man (Aug 13)
- Re: BBCode XSS in XOOPS CMS kain (Aug 14)