Security: XSS Vulnerability

steve · Post by **steve** » 03 Mar 2008, 14:31

The guestbook uses tinyMCE as editor and only relies on the input filtering the editor does.

By allowing JREQUEST_ALLOWRAW all malicious filtering that joomla offers is bypassed.

The content field has to be filtered though for malicious code. A simple exploit looks like this:

Disable javascript in the Browser. You get the plain text field instead of the tinyMCE where you can directly launch your attack.

Enter now some javascript code as you can find them here:

http://phpsec.org/projects/guide/2.html#2.3

A hot fix for this is to remove JREQUEST_ALLOWRAW at line 45 in controllers/phocaguestbook.php

$post['content'] = JRequest::getVar( 'content', '', 'post', 'string' /* , JRE
QUEST_ALLOWRAW */ );

As a consequence users cannot input any HTML formating at all anymore, so i also removed the tinyMCE by commenting out line 29 and 30 in views/phocaguestbook/view.html.php

//$document->addCustomTag(PhocaguestbookHelper::setTinyMCEJS());
//$document->addCustomTag(PhocaguestbookHelper::displaySimpleTinyMCEJS());

steve · Post by **steve** » 03 Mar 2008, 14:38

i recommend to implement an editor like you find it here for posting forum messages, which inserts tags for simplest formatting and then replaces it in the view by real html tags.

i forgot to mention that i inserted:

$values->content = nl2br($values->content);

into views/phocaguestbook/tmpl/default.php at line 179 to allow the users at least formatting the input with some newlines.

BTW: real nice guestbook, i like it.

Post by **Jan** » 03 Mar 2008, 18:43

I have tried it, you right, thank you for your info, I will do some security fix...

Jan

Post by **Jan** » 03 Mar 2008, 22:56

Hi, Fixed with HTML Purifier

Please download 1.2.2