[ Video Sharing CMS v4 ] Security Problem

diego.bardalez · 11 December, 2014

Hello guys,

I found a security problem in the phpvibe script
Stored XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

POC: upload a video or image , set title = "><img src=X onerror=prompt(1337);>
"
Demo: http://www.videoscriptdemo.com/video/7358/-quot-gt-lt-img-src-x-onerror-prompt-1337-gt-/&nsfw=1

Regards

TigerClaw · 11 December, 2014

Thank you to have advised the community about it but I strongly suggest to modify your post and send first of all the information by private message to Mario

Marius P. · 12 December, 2014

Hi, thank you for reporting!
I've updated the anti_xss class to include the 'onerror' tag also.

Abraham · 12 December, 2014

Hi,

What should we do to fix?

Marius P. · 12 December, 2014

Will post shortly a topic for the patch.

Marius P. · 13 December, 2014

Ok, here is a brief update:

lib/functions.html.php

Find:

Code Select

//This light function strips everything...no questions asked
//...except for some few safe html tags

Replace the function under this comment with :

Code Select

function antixss_light($text) {
$text = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $text );
$text  = strip_tags($text);
//Remove external scripts
$search = array(
    '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  );
$tx_output = preg_replace($search, '', $text);
//Deep remove the rest
$injections = array('<script','iframe','<object','applet','<embed','onblur',');>','onchange','onclick','ondblclick','onfocus','onkeydown','onkeypress','onkeyup','onload','onmousedown','onmousemove','onmouseout','onmouseover','onmouseup','onreset','onselect','onsubmit','onunload', '<src','<img src','onerror','prompt(','alert(', 'document.body.innerHTML', 'document.body', 'document.title','<!--','innerHTML');
$output  = str_replace($injections, '', $tx_output);
return $output;
}

PHPClient · 14 December, 2014

I performed the recommend patch and an error code was generated for line 455 (syntax)

See attachment

Thanks

Mario

Marius P. · 16 December, 2014

What' the error code, I've updated all sites with this and no problem.

PHPClient · 16 December, 2014

See 1st attachment for error code
See 2nd attachment for error codes when I click on "Upload" on website
See 3rd attachment for php code pasted

If I remove the "}" from line 455, I still get the error codes in attachment #2

Marius P. · 16 December, 2014

Matte, you didn't replace the function, you've just replaced the function name line (first line).
I've just now looked closer, you've left all of the old function there except the first line in it.

Marius P. · 16 December, 2014

Remove all in the red zone

PHPClient · 19 December, 2014

Done. Thanks. All good.

PHPVIBE Forums

[ Video Sharing CMS v4 ] Security Problem

diego.bardalez

TigerClaw

Marius P.

Abraham

Marius P.

Marius P.

PHPClient

Marius P.

PHPClient

Marius P.

Marius P.

PHPClient

Similar topics (7)