• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
xss_clean dosen't work propertly

looking at this function (xss_clean in class CI_Input) i've spooted, that i isn't filtering css expressions.
css expressions allows to put javascript into css rule, it works only in IE, but it's still about 60% of all users.
via expressions one can do everything that js alows, so it's a big danger.

more about this way of puting js, and other xss exploits here: http://ha.ckers.org/xss.html

example of expression:
<DIV STYLE="width: expression(alert('XSS'));">

i think xss cleaning should by improved, at least 'expression' word should by filtered as well as 'javascript'

i would like to point one more problem, there is so many ways to smuggle javascript, that i think is imposible to catch it all, so i think it should be mentioned in the manual, that xss filtering dosn't give 100% security

xss can by made even without javascript, for examle img tag: < img src="path_to_admin_file" />, where "path_to_admin_file" is path to file, with deletes something, for example: "/admin/article/del/3" or something like that. if user with administrators rights 'sees' such img, it deletes the article...

allowing any html tag from user is unsafe...

ps. sorry if i've made any mistakes in text, english isn't my native language :>

[quote author="droopy" date="1182896829"]
<DIV STYLE="width: expression(alert('XSS'));">

Yes, i've noticed that too, and as you said it should be made clear in teh documentation that the filter in not 100% reliable, not because of a defective design, but because of the XSS nature.

Bug reported Wink

[eluser]Derek Jones[/eluser]
marcoss, droopy, I'm not sure what you're looking at, or what your implementation is, but strings like that are definitely cleaned by xss_clean(). Some code demonstrating that it's not handling such strings would be greatly appreciated if you find this to not be the case in your software.

[eluser]Paul Burdick[/eluser]
Yes, if you are expecting it to be sanitized automatically, make sure $config['global_xss_filtering'] is set to TRUE in your config.php file.

$string = '<div style="width: expression(this.style.color=\'#ff0000\');">xss</div>';
echo $string;
echo $this->input->xss_clean($string);

and in ie both 'xss' strings becomes red, javascript is not affected...

[eluser]Paul Burdick[/eluser]
So? That 'xss' is not an XSS attack but merely some regular CSS done thought expression() that IE 6 will recognize.

Putting in your original expression up top, you can see that it is sanitized just fine by converting the parentheses in alert.

[eluser]Paul Burdick[/eluser]
The expression() will process JavaScript, so that might be something we want to add just to be safe. Still, your examples and most things we have tried do not get past because we convert characters or remove the javascript entirely.

i think you don't understand, this "this.style.color=\'#ff0000\'" is not a css rule, it is javascript, i could type here some other code, i can even change whole site with something like that: "this.parentNode.parentNode.innerHtml='this site sux'"
filtering alert function is not good defense from xss :>

of course, there should by innerHTML istead of innerHtml to work

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.