Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Yii Framwork CmsInput Improper XSS Filter

🗓️ 03 Dec 2014 00:00:00Reported by Jos WetzelsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

Yii framework CmsInput extension XSS vulnerability in version 1.2 and prio

Code
`[+] Yii framework CmsInput extension [1] improper XSS sanitation  
[+] Discovered by: Jos Wetzels  
[+] Affects: Yii framework CmsInput extension <= version 1.2  
  
Yii framework's CmsInput extension versions 1.2 and prior suffer from  
an improper XSS sanitation implementation, which has now been resolved  
in cooperation with the author [2], introducing XSS vulnerabilities in  
web applications developed by third-party framework users [3].  
CmsInput is an extension of the Yii framework designed to wrap  
HtmlPurifier and the Codeigniter Security class in a single component  
for user-input sanitation. The problem resides in CmsInput's default  
cleaning method stripClean in CmsInput.php:  
  
public function stripClean($str)  
{  
return $this->xssClean($this->stripTags($str));  
}  
  
What happens is that stripTags is called on the user-supplied input  
before xssClean is called. stripTags is designed to eliminate all HTML  
and PHP tags from the user-supplied input by wrapping PHP's strip_tags  
[4] function. xssClean is a wrapper for Codeigniter's xss_clean [5]  
function, which aims to strip user-supplied input of all suspicious  
XSS-related input. Within xssClean, the user-supplied input is  
URL-decoded before further processing:  
  
$str = rawurldecode($str);  
  
The problem arises when stripClean is used to sanitize a URL-encoded  
user-supplied string, which is then later used under the assumption it  
was stripped of all possible XSS vectors. Since stripTags simply  
eliminates all raw HTML  
and PHP tags and a URL-encoded string contains none, the string gets  
passed to xssClean in unchanged form, where it will be URL-decoded  
into a string containing HTML tags, thus allowing injection of (a  
limited subset of) HTML elements in uninteded locations.  
  
Proof of Concept:  
  
stripClean("%3Cimg%20src%20%3D%20%22http%3A%2F%2Ftest.com%2Fcsrf.php%22%3E")  
= '<img src = "http://test.com/csrf.php">'  
  
[*] Mitigation:  
Upgrade to CmsInput version 1.3 [2]  
  
[*] References:  
  
1. http://www.yiiframework.com/extension/input/  
2. http://www.yiiframework.com/extension/input/#hh7  
3. Eg.: https://www.humhub.org/  
4. http://php.net/manual/en/function.strip-tags.php  
5. https://ellislab.com/codeigniter/user-guide/libraries/security.html  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Dec 2014 00:00Current
0.1Low risk
Vulners AI Score0.1
yii frameworkcmsinput extensionxss sanitationjos wetzelshtmlpurifiercodeigniter securitystriptagsxsscleanxss vulnerabilitiesweb applicationsurl-decodedxss vectorshtml elementsmitigationupgrade to version 1.3referenceshumhub.org
38