Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming XSS from URI calls such as uri_string() -- expected? How do I repair?
XSS from URI calls such as uri_string() -- expected? How do I repair?
  • El Forum
    Guest
  •  
#1
09-26-2011, 07:07 PM

[eluser]Unknown[/eluser]
A kind person emailed me today to let me know my site had cross-site scripting issues. My problem is that I just got hired on to this job and haven't even dipped in to the CodeIgniter code, so I'm a bit disoriented. Thus, I'm not even sure how to fix it. But I'll walk you through what I found. I'd love advice.

Someone calls this URL:

Code:
http://www.mysite.com/go/title/"onmouseover=promp';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->[removed]">'>[removed]alert(String.fromCharCode(88,83,83))[removed]

...and the page will appear with a JavaScript alert that reads, "XSS."

Looking into the code that generates the page, I found this:

Code:
<button type="submit">

...and since it's just a call to CodeIgniter to pass in the URI, here is what actually ends up on the page:

Code:
<button type="submit">'>[removed]alert(String.fromCharCode(88,83,83))[removed]'])">

Now, I'm not a bad coder, I can resolve this. However, I am utterly new to CodeIgniter -- as in, just found out about it when this bug came in, just a few days into my job. So I have no idea what solution is considered "best practice" here. Should the team have expected uri_string to be laundered? I've noticed that there is an XSS filter feature in config, which we have set to false (not even sure it would affect uri_string() calls if we enabled it). Is that wise to engage? Also, I've seen in some Google searching that there is an option in config to switch uri_protocol away from AUTO, though I don't know what the ripple effects are, nor if there is a switch that fixes this issue.

Or maybe this is just a traditional case of "we should wrap uri_string() in a new function that cleans its output." Not sure what the sanitizing should be off the top of my head -- rather than strip the URL or use a regex, I would want to escape/encode the URL so that it cannot break out of the quotes encapsulating it. Not clear on the appropriate PHP function for that, so pointers would be welcome.

I appreciate your help. Thanks.

EDIT: Shoot! The code got sanitized here in the forum! Here is a URL to what I was *trying* to post just now: http://shortText.com/vNWY0B




Theme © iAndrew 2016 - Forum software by © MyBB