LEAKFREE-2014-004 / BID-71431

Yii framework CmsInput Extension 'CmsInput.php' Cross Site Scripting Vulnerability

[+] BID: BID-71431
[+] LF-ID: LEAKFREE-2014-004
[+] CVSS: 7.0
[+] Vendor: Yii Framework
[+] Product: CmsInput
[+] Versions affected: 1.2 and earlier

Vulnerability

Yii framework's CmsInput extension [1] versions 1.2 and prior suffer from an improper XSS sanitation implementation, which has now been resolved in cooperation with the author [2], introducing XSS vulnerabilities in web applications developed by third-party framework users [3]. CmsInput is an extension of the Yii framework designed to wrap HtmlPurifier and the Codeigniter Security class in a single component for user-input sanitation. The problem resides in CmsInput's default cleaning method stripClean in CmsInput.php:


public function stripClean($str)
{
    return $this->xssClean($this->stripTags($str));
}                     
    

What happens is that stripTags is called on the user-supplied input before xssClean is called. stripTags is designed to eliminate all HTML and PHP tags from the user-supplied input by wrapping PHP's strip_tags [4] function. xssClean is a wrapper for Codeigniter's xss_clean [5] function, which aims to strip user-supplied input of all suspicious XSS-related input. Within xssClean, the user-supplied input is URL-decoded before further processing:


$str = rawurldecode($str);
    

The problem arises when stripClean is used to sanitize a URL-encoded user-supplied string, which is then later used under the assumption it was stripped of all possible XSS vectors. Since stripTags simply eliminates all raw HTML and PHP tags and a URL-encoded string contains none, the string gets passed to xssClean in unchanged form, where it will be URL-decoded into a string containing HTML tags, thus allowing injection of (a limited subset of) HTML elements in uninteded locations.

Proof of Concept

stripClean("%3Cimg%20src%20%3D%20%22http%3A%2F%2Ftest.tld%2Fcsrf.php%22%3E")= '<img src = "http://test.tld/csrf.php";>'

Mitigation

Upgrade to CmsInput version 1.3 [2]

References

1. http://www.yiiframework.com/extension/input/

2. http://www.yiiframework.com/extension/input/#hh7

3. https://www.humhub.org/

4. http://php.net/manual/en/function.strip-tags.php

5. https://ellislab.com/codeigniter/user-guide/libraries/security.html

Contact

Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)