Hall of Fame

[diego.bardalez]

Hello guys,

I found a security problem in the phpvibe script
Stored XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

POC: upload a video or image , set title = "><img src=X onerror=prompt(1337);>
"
Demo: http://www.videoscriptdemo.com/video/7358/-quot-gt-lt-img-src-x-onerror-prompt-1337-gt-/&nsfw=1



Regards

[TigerClaw]

Thank you to have advised the community about it but I strongly suggest to modify your post and send first of all the information by private message to Mario

[Marius P.]

Hi, thank you for reporting!
I've updated the anti_xss class to include the 'onerror' tag also.

[Abraham]

Hi,

What should we do to fix?

[Marius P.]

Will post shortly a topic for the patch.

[Marius P.]

Ok, here is a brief update:

lib/functions.html.php

Find:

Code Select Expand

//This light function strips everything...no questions asked
//...except for some few safe html tags

Replace the function under this comment with :

Code Select Expand

function antixss_light($text) {
$text = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $text );
$text  = strip_tags($text);
//Remove external scripts
$search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  );
$tx_output = preg_replace($search, '', $text);
//Deep remove the rest
$injections = array('<script','iframe','<object','applet','<embed','onblur',');>','onchange','onclick','ondblclick','onfocus','onkeydown','onkeypress','onkeyup','onload','onmousedown','onmousemove','onmouseout','onmouseover','onmouseup','onreset','onselect','onsubmit','onunload', '<src','<img src','onerror','prompt(','alert(', 'document.body.innerHTML', 'document.body', 'document.title','<!--','innerHTML');
$output  = str_replace($injections, '', $tx_output);
return $output;
}

[PHPClient]

I performed the recommend patch and an error code was generated for line 455 (syntax)

See attachment

Thanks

Mario

[Marius P.]

What' the error code, I've updated all sites with this and no problem.

[PHPClient]

See 1st attachment for error code
See 2nd attachment for error codes when I click on "Upload" on website
See 3rd attachment for php code pasted

If I remove the "}" from line 455, I still get the error codes in attachment #2

[Marius P.]

Matte, you didn't replace the function, you've just replaced the function name line (first line).
I've just now looked closer, you've left all of the old function there except the first line in it.

[Marius P.]

Remove all in the red zone

[PHPClient]

Done. Thanks. All good.