Recent Changes - Search:
PITS /

01030: XSS vuln in forms.php

Summary: XSS vuln in forms.php
Created: 2008-06-24 14:44
Status: Closed - fixed for 2.2.0-beta68
Category: Bug
From: Greg Grimes
Assigned:
Priority: 5555
Version: 2.1.27 and higher
OS: Linux/Apache/5.2.4

Description: At line 238 there is a serious XSS vulnerability. By not escaping anything or stripping HTML out of the "action" the Wiki can be used to execute client side code. To solve this issue I changed the following lines in forms.php: 

SDVA($InputTags['auth_form'], array(
  ':html' => "<form action='{$_SERVER['REQUEST_URI']}' method='post'
    name='authform'>\$PostVars"));

to: 

$strippedAction = htmlentities(strip_tags($_SERVER['REQUEST_URI']), ENT_QUOTES);
SDVA($InputTags['auth_form'], array(
  ':html' => "<form action='\$strippedAction' method='post'
    name='authform'>\$PostVars"));

Also, please look at any other use of $_SERVER['REQUEST_URI'] and be sure to use strip_tags and htmlentities, or any other way of sanitizing input.

Question

How could possibly the current $_SERVER['REQUEST_URI'] variable be a serious cross-site scripting vulnerability for anyone else than the browser which is calling the login form with an invalid url (non-stripped tags...)? What exactly client-side code could be the executed? Thanks. --Petko June 25, 2008, at 05:40 PM

EDIT

I also found another place that had input not sanitized. This is in pmwiki.php at line 1549. I replaced: 

  SDV($AuthPromptFmt,array(&$PageStartFmt,
    "<p><b>$[Password required]</b></p>
      <form name='authform' action='{$_SERVER['REQUEST_URI']}' method='post'>
        $[Password]: <input tabindex='1' type='password' name='authpw'
          value='' />
        <input type='submit' value='OK' />\$PostVars</form>
        <script language='javascript' type='text/javascript'><!--
          document.authform.authpw.focus() //--></script>", &$PageEndFmt));

with: 

  $strippedAction = htmlentities(strip_tags($_SERVER['REQUEST_URI']), ENT_QUOTES);
  SDV($AuthPromptFmt,array(&$PageStartFmt,
    "<p><b>$[Password required]</b></p>
      <form name='authform' action='\$strippedAction' method='post'>
        $[Password]: <input tabindex='1' type='password' name='authpw'
          value='' />
        <input type='submit' value='OK' />\$PostVars</form>
        <script language='javascript' type='text/javascript'><!--
          document.authform.authpw.focus() //--></script>", &$PageEndFmt));