• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Potential permitted_uri_chars exploit

#1
[eluser]aamche[/eluser]
Forgive me if this has been covered. I did do some searching to see if it have been covered on the forums and google.

Currently permitted_uri_chars allows any url encoded characters to passed straight through to most functions using uri_string();

Code:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Example of the attack
Code:
https://www.mysite.co.nz/controller/view/%68%6d%6d%22%3e%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%58%53%53%27%29%3b%22%3e

Given the encoding translation it can be tricky to reproduce. But the above attack will parse an iframe on to any page which calls uri_string() or current_url(), e.g.
Code:
<a href="<?php echo uri_string();?>link</a>

Currently I'm looking at removing url encoded characters (%) from the uri. Get vars seem to be unaffected by permitted_uri_chars filter.

This is not a database exploit, but a content insertion exploit.

Thoughts and comments welcome.

#2
[eluser]aamche[/eluser]
Oh if you are seeing iframe, you are seeing it un-encoded (tricky to post in the forums) and will need to url encode everything after view/, before posting into the browser address bar. It's tricky, but once you know how to do it, it's quite easy to html.

Conceivable you could post a poisoned link, which on click replaces a login form using a form action using current_url()


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.