+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: XSS attack from Exceptions Lib? (/showthread.php?tid=10132)
XSS attack from Exceptions Lib? - El Forum - 07-19-2008
[eluser]Xeoncross[/eluser]
I modified the Exceptions Lib to protect the user from XSS. However, I am not sure if this is necessary. Is the var $page ever composed from URL chars that are not cleaned?
If the values that make $page are just pulled from the URL path - this means that someone could send someone to site.com/path/[removed]xssattack[removed] and use it for a CSFR/XSS.
Code:
<?php
class MY_Exceptions extends CI_Exceptions {
/**
* Constructor
*
*/
function MY_Exceptions(){
parent::CI_Exceptions();
}
/**
* 404 Page Not Found Handler
*
* @access private
* @param string
* @return string
*/
function show_404($page = '') {
//Make the $page name XSS safe
parent::show_404(htmlentities($page, ENT_QUOTES, 'UTF-8'));
}
}
?>XSS attack from Exceptions Lib? - El Forum - 07-21-2008
[eluser]Xeoncross[/eluser]
Quote:Is the var $page ever composed from URL chars that are not cleaned?
XSS attack from Exceptions Lib? - El Forum - 07-21-2008
[eluser]wiredesignz[/eluser]
I believe (from exploring the Router class) the entire URL is cleaned by the URI class inside the Router class and Router generates the 404 should it should be safe.
XSS attack from Exceptions Lib? - El Forum - 07-21-2008
[eluser]Pascal Kriete[/eluser]
wd already mentioned the URI class, which will error if you have illegal characters in your url (as defined by the config item).
What's more, $page is never displayed to the user, it's only written to a log file.
XSS attack from Exceptions Lib? - El Forum - 07-21-2008
[eluser]Xeoncross[/eluser]
[quote author="inparo" date="1216666706"]the URI class... will error if you have illegal characters in your url[/quote]
Perfect! Just what I needed to know.
However, I still think that this is a venerability.
[quote author="inparo" date="1216666706"]
$page is never displayed to the user, it's only written to a log file.[/quote]
What if the log is read by a PHP script that outputs the last 10 errors? What if the log is emailed to a user?
XSS attack time. :coolgrin:
XSS attack from Exceptions Lib? - El Forum - 07-21-2008
[eluser]Pascal Kriete[/eluser]
[quote author="Xeoncross" date="1216667632"]What if the log is read by a PHP script that outputs the last 10 errors?[/quote]
I won't touch the email one, but this situation is certainly worth considering. If you're going to display your log file in an html context, you should definitely clean it.