Project

General

Profile

Actions

Bug #3127

closed

Missing encoding of single quotes in pkg_edit.php / XSS

Added by Jörg Schneider over 11 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
Start date:
08/03/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

The problem occurs, when a user enters a single quote (') into an input field, saves and then edits again.
Then the input is truncated at the first single quote.

I noticed the problem with the Filer package using Diagnostics / Filer / Edit, but the issue might apply to other packages as well. In this package single quotes can be useful in the script field.

The problem is caused by a missing HTML entity encoding of single quotes in <input value='...'>. This can be verified viewing the HTML source in the browser. It will show e.g. <input value='echo 'hi''> when the user has entered echo 'hi'.

The bug allows cross site scripting (XSS), which can be verified, e.g. by entering the following in the above scenario:

' onfocus='alert(1)

The attached patch fixes the problem by replacing

htmlspecialchars($value)

with
htmlspecialchars($value, ENT_QUOTES)

in a number of places. Background: htmlspecialchars encodes by default only double quotes, with ENT_QUOTES it encodes double and single quotes.


Files

pkg_edit.diff (2.48 KB) pkg_edit.diff Patch for pkg_edit.php to fix reported issue Jörg Schneider, 08/03/2013 04:10 AM
Actions #1

Updated by Jörg Schneider over 11 years ago

The title should end with XSS instead of XXS.

Actions #2

Updated by Renato Botelho over 11 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Renato Botelho over 11 years ago

  • Subject changed from Missing encoding of single quotes in pkg_edit.php / XXS to Missing encoding of single quotes in pkg_edit.php / XSS
  • Target version set to 2.1
Actions #5

Updated by Chris Buechler over 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF