Products: ExpressionEngine 2.2.2, CodeIgniter 2.0.3 Vulnerabilities: xss_clean filter bypass, leading to Cross-Site Scripting (XSS) Risk: High
Attack Vector: From Remote
EllisLab ExpressionEngine 2.2.2 and CodeIgniter 2.0.3 were found vulnerable to various XSS attacks when relying on XSS protection provided by xss_clean filter. When exploited by an external/internal attacker, such identified vulnerabilities could lead to Session Hijack, Information Disclosure, force installation of malicious file or Trojan on users' PCs, etc.
Due to implementation flaws affecting functions _remove_evil_attributes function flaw and xss_clean of CI_Security class, the internal XSS filter can be bypassed, thus allowing successful XSS attacks on products using either ExpressionEngine 2.2.2 or CodeIgniter 2.0.3.
_remove_evil_attributes function of CI_Security class allows detection and removal of 'evil' on event attributes (e.g. onmouseover, onfocus, etc) from any HTML tag submitted as a parameter of GET or POST requests. By exploiting an implementation flaw identified in _remove_evil_attributes function, an attacker can inject XSS payloads relying on the use of 'evil' on attributes, as shown below:
XSS injected payload: <a href=”#”onclick=”alert(1)”>" onclick="">
xss_clean 'filtered' output: <a href=”#>" onclick="">
xss_clean function includes functionality for replacing any detected ( ) characters with the corresponding HTML entities (( , ) respectively). As stated by EllisLab developers, something like eval('some code') becomes eval('some code') and such rewritten code is harmless.
When the flaws affecting both _remove_evil_attributes function and xss_clean functions are exploited together, this allows successful injection and execution of common XSS attack payloads, as shown below:
XSS injected payload: <a href="#"onclick="alert(1)">" onclick="alert(2)">aa</a>
xss_clean 'filtered' output: <a href="#>" onclick="alert(2)">aa</a>
EllisLab ExpressionEngine 2.2.2 EllisLab CodeIgniter 2.0.3
Vendor recommends upgrading to ExpressionEngine 2.3.0 or later, respectively to CodeIgniter 2.1.0 or later.
2011, September 08: Vulnerabilities discovered and documented 2011, September 08: Notification sent to EllisLab 2011, September 08: Vulnerabilities confirmed by EllisLab 2011, October 11: EllisLab released ExpressionEngine 2.3.0 2011, November 14: EllisLab released CodeIgniter 2.1.0 2011, November 28: MVSA-11-013 advisory published.
MVSA-11-013 Dr. Marian Ventuneac