[drupal-devel] [bug] XSS vulnerability in comments
Mogurito
drupal-devel at drupal.org
Wed Sep 14 12:22:38 UTC 2005
Issue status update for
http://drupal.org/node/31197
Post a follow up:
http://drupal.org/project/comments/add/31197
Project: Drupal
Version: 4.6.0
Component: comment.module
Category: bug reports
Priority: critical
Assigned to: Mogurito
Reported by: Mogurito
Updated by: Mogurito
Status: patch (code needs review)
*CORRECTION* (The comment is not complete)
The source code interpreted by the browser, have html comment with the
subject by each comment. For example, if we post a comment like
'Hello', Drupal write in the source code . But the problem come when a
post is send with special characters like '<'. If we post a comment
like '-->Hello XSS', the comment in the source code will be closed,
provocating that "Hello XSS-->" string will be show in the page. If the
"Hello XSS" string will be replaced by a script, we can get a XSS
Attack.
Solution
Analize the subject string and replacing the special characters (<,>,
') for (&<, &>, &")
How
Adding this lines to the function comment_validate_form:
$edit['subject'] = ereg_replace("<", "&<", $edit['subject']);
$edit['subject'] = ereg_replace(">", "&>", $edit['subject']);
$edit['subject'] = ereg_replace(""", "&"", $edit['subject']);
Notes
- Sorry, but my english is not very cool.
Mogurito
Previous comments:
------------------------------------------------------------------------
Wed, 14 Sep 2005 12:12:05 +0000 : Mogurito
Attachment: http://drupal.org/files/issues/comment.module_13.diff (632 bytes)
The source code interpreted by the browser, have html comment with the
subject by each comment. For example, if we post a comment like
'Hello', Drupal write in the source code . But the problem come when a
post is send with special characters like 'Hello XSS', the comment in
the source code will be closed, provocating that "Hello XSS-->" string
will be show in the page. If the "Hello XSS" string will be replaced by
a script, we can get a XSS Attack.
*Solution*
Analize the subject string and replacing the special characters (, ')
for (<, >, ")
*How*
Adding this lines to the function comment_validate_form:
$edit['subject'] = ereg_replace("", ">", $edit['subject']);
$edit['subject'] = ereg_replace("\'", """, $edit['subject']);
*Notes*
- Sorry, but my english is not very cool.
More information about the drupal-devel
mailing list