Welcome Guest, Not a member yet? Register   Sign In
XSS attack from Exceptions Lib?
#1

[eluser]Xeoncross[/eluser]
I modified the Exceptions Lib to protect the user from XSS. However, I am not sure if this is necessary. Is the var $page ever composed from URL chars that are not cleaned?

If the values that make $page are just pulled from the URL path - this means that someone could send someone to site.com/path/[removed]xssattack[removed] and use it for a CSFR/XSS.


Code:
<?php
class MY_Exceptions extends CI_Exceptions {
    
    /**
     * Constructor
     *
     */    
    function MY_Exceptions(){
        parent::CI_Exceptions();
    }

    /**
     * 404 Page Not Found Handler
     *
     * @access    private
     * @param    string
     * @return    string
     */
    function show_404($page = '') {    
        //Make the $page name XSS safe
        parent::show_404(htmlentities($page, ENT_QUOTES, 'UTF-8'));
    }

}
?>
#2

[eluser]Xeoncross[/eluser]
Quote:Is the var $page ever composed from URL chars that are not cleaned?
#3

[eluser]wiredesignz[/eluser]
I believe (from exploring the Router class) the entire URL is cleaned by the URI class inside the Router class and Router generates the 404 should it should be safe.
#4

[eluser]Pascal Kriete[/eluser]
wd already mentioned the URI class, which will error if you have illegal characters in your url (as defined by the config item).

What's more, $page is never displayed to the user, it's only written to a log file.
#5

[eluser]Xeoncross[/eluser]
[quote author="inparo" date="1216666706"]the URI class... will error if you have illegal characters in your url[/quote]

Perfect! Just what I needed to know.
However, I still think that this is a venerability.

[quote author="inparo" date="1216666706"]
$page is never displayed to the user, it's only written to a log file.[/quote]

What if the log is read by a PHP script that outputs the last 10 errors? What if the log is emailed to a user?

XSS attack time. :coolgrin:
#6

[eluser]Pascal Kriete[/eluser]
[quote author="Xeoncross" date="1216667632"]What if the log is read by a PHP script that outputs the last 10 errors?[/quote]

I won't touch the email one, but this situation is certainly worth considering. If you're going to display your log file in an html context, you should definitely clean it.




Theme © iAndrew 2016 - Forum software by © MyBB