From: Andrew L. <joy...@ya...> - 2003-01-29 03:12:34
|
Yes, well, it's sort of XSS. You can inject HTML that will either lead visitors away from Gallery, annoy them , or totally screw up the page, etc.. -- obviously not the intended result. Maybe XSS was too strong of a word, but this is surely an issue that needs to be taken care of. The solution I provided (as well as the patch Delfim wrote) should correct the problem efficently enough. Sorry for the confusion, but when I originally reported the problem, I had no idea it had this many consequences -- I just got a little excited/worried what else this might cause. --Andrew --- John Kirkland <jp...@bl...> wrote: > When I wrote add_comment.php, I didn't have the > removeTags call. Bharat > added that later as a security fix. > > I'm trying to get my arms around the XSS thing so I > can stop writing code > with the problem! Since javascript is > client-executed, is that truly XSS? > I thought XSS was when you got the server to execute > code. > > thanks, > John > > On Tue, 28 Jan 2003, Andrew Lindeman wrote: > > > They are, read add_comment.php. These fields are > > stripped of HTML using the removeTags() function. > IP > > Address field is not. > > > > --Andrew > > > > --- Andrew Lindeman <joy...@ya...> wrote: > > > I believe these fields are stripped of HTML. > > > > > > --- John Kirkland <jp...@bl...> wrote: > > > > Why can you not do this, with, say, the > > > > $commenter_name value? > > > > > > > > -John > > > > > > > > On Tue, 28 Jan 2003, Andrew Lindeman wrote: > > > > > > > > > Confirmed. I just did it myself. The IP > > > Address > > > > is > > > > > taken AS IS, no tag stripping; I was able to > > > > inject a > > > > > Javascript application into the comment. > > > Bharat, > > > > > Beckett, this is serious :( Fortunately, > it's a > > > > > pretty simple fix. > > > > > > > > > > --Andrew > > > > > > > > > > --- Andrew Lindeman <joy...@ya...> > > > wrote: > > > > > > I never thought of XSS. Shoot, that's > good > > > > point. > > > > > > Another serious security hole -- dang... > > > > > > > > > > > > --Andrew > > > > > > > > > > > > --- Delfim Machado <db...@co...> > wrote: > > > > > > > Andrew Lindeman wrote: > > > > > > > > > > > > > > >I was doing some code browsing and > found > > > that > > > > > > > Gallery > > > > > > > >includes a user's IP address in a > hidden > > > > field > > > > > > when > > > > > > > >submitting a comment. > > > > > > > > > > > > > > > >(snippet from add_comment.php) > > > > > > > > > > > > > > > ><input type=hidden name="IPNumber" > > > > value="<?php > > > > > > > echo > > > > > > > >$HTTP_SERVER_VARS['REMOTE_ADDR'] ?>"> > > > > > > > > > > > > > > > <input type=hidden name="IPNumber" > > > > value="<iframe > > > > > > > > > > > > > > > > > > > > > > > > > > > > src='http://all.your.XSS.are.belong.to.someone'></iframe>"> > > > > > > > > > > > > > > or something very evil, get the session > id > > > > from > > > > > > the > > > > > > > admin and some other things (don't know) > > > > > > > > > > > > > > i'm only thinking loud > > > > > > > > > > > > > > well, i tested it and it WORKED !!! > > > > > > > > > > > > > > this is a quick patch, no more XSS and > real > > > IP > > > > :) > > > > > > > > > > > > > > diff add_comment.php > add_comment-orig.php > > > > > > > 44c44 > > > > > > > < > > > > > > $gallery->album->addComment($index, > > > > > > > stripslashes($comment_text), > > > > > > > $HTTP_SERVER_VARS['REMOTE_ADDR'], > > > > > > $commenter_name); > > > > > > > --- > > > > > > > > > > > > > > $gallery->album->addComment($index, > > > > > > > stripslashes($comment_text), $IPNumber, > > > > > > > $commenter_name); > > > > > > > 76a77 > > > > > > > > <input type=hidden name="IPNumber" > > > > value="<?php > > > > > > > echo $HTTP_SERVER_VARS['REMOTE_ADDR'] > ?>"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >and later uses it to add the comment > > > > > > > > > > > > > > > >$gallery->album->addComment($index, > > > > > > > >stripslashes($comment_text), $IPNumber, > > > > > > > >$commenter_name); > > > > > > > > > > > > > > > the var $IPNumber could be anything to > > > attack > > > > the > > > > > > > gallery admin, XSS > > > > > > > > > > > > > > > > > > > > > > >I was kind of stumpted as to why this > is > > > so, > > > > > > since > > > > > > > it > > > > > > > >is extremely easy to spoof the IP > address. > > > > It's > > > > > > > not a > > > > > > > >huge security risk, but why not delete > the > > > > hidden > > > > > > > >field and access the IP address > directly > > > when > > > > > > > adding > > > > > > > >the comment? > > > > > > > > > > > > > > > > > > > > > > > >$gallery->album->addComment($index, > > > > > > > >stripslashes($comment_text), > > > > > > > >$HTTP_SERVER_VARS['REMOTE_ADDR'], > > > > > > $commenter_name); > > > > > > > > > > > > > > > ups, you said it first :) > > > > > > > > > > > > > > > > > > > > > > >--Andrew > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >__________________________________________________ > > > > > > > >Do you Yahoo!? > > > > > > > >Yahoo! Mail Plus - Powerful. > Affordable. > > > Sign > > > > up > > > > > > > now. > > > > > > > >http://mailplus.yahoo.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >------------------------------------------------------- > > > > > > > >This SF.NET email is sponsored by: > > > > > > > >SourceForge Enterprise Edition + IBM + > > > > LinuxWorld > > > > > > = > > > > > > > Something 2 See! > > > > > > > >http://www.vasoftware.com > > > > > > > >__[ g a l l e r y - d e v e l > > > > > > > ]_________________________ > > > > > > > > > > > > > > > >[ list info/archive --> > > > > > > > http://gallery.sf.net/lists.php ] > > > > > > > >[ gallery info/FAQ/download --> > > > > > > > http://gallery.sf.net ] > > > > > > > > > > > > > > > > > > > > > > > > === message truncated === __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com |