Bug #3127
closed
Missing encoding of single quotes in pkg_edit.php / XSS
100%
Description
The problem occurs, when a user enters a single quote (') into an input field, saves and then edits again.
Then the input is truncated at the first single quote.
I noticed the problem with the Filer package using Diagnostics / Filer / Edit, but the issue might apply to other packages as well. In this package single quotes can be useful in the script field.
The problem is caused by a missing HTML entity encoding of single quotes in <input value='...'>. This can be verified viewing the HTML source in the browser. It will show e.g. <input value='echo 'hi''> when the user has entered echo 'hi'.
The bug allows cross site scripting (XSS), which can be verified, e.g. by entering the following in the above scenario:
' onfocus='alert(1)
The attached patch fixes the problem by replacing
htmlspecialchars($value)
with
htmlspecialchars($value, ENT_QUOTES)
in a number of places. Background: htmlspecialchars encodes by default only double quotes, with ENT_QUOTES it encodes double and single quotes.
Files
Updated by Jörg Schneider over 11 years ago
The title should end with XSS instead of XXS.
Updated by Renato Botelho about 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 605ae5537da157adfb414cc8837d465c132f4c8c.
Updated by Renato Botelho about 11 years ago
Applied in changeset da95bdcd9202e0f240099af3bfdf284b8f404d9f.
Updated by Renato Botelho about 11 years ago
- Subject changed from Missing encoding of single quotes in pkg_edit.php / XXS to Missing encoding of single quotes in pkg_edit.php / XSS
- Target version set to 2.1
Updated by Chris Buechler about 11 years ago
- Status changed from Feedback to Resolved