[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MVSA-11-013 - EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MVSA-11-013 - EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter
From: marian.ventuneac@xxxxxxxxx
Date: Mon, 28 Nov 2011 23:57:47 GMT

CVE: CVE-2011-4025      
Vendor: EllisLab        
Products: ExpressionEngine 2.2.2, CodeIgniter 2.0.3
Vulnerabilities: xss_clean filter bypass, leading to Cross-Site Scripting (XSS)
Risk: High      
Attack Vector: From Remote      
Reference: 
http://secureappdev.blogspot.com/2011/11/ellislab-xssclean-filter-bypass.html

        
1. Description

EllisLab ExpressionEngine 2.2.2 and CodeIgniter 2.0.3 were found vulnerable to 
various XSS attacks when relying on XSS protection provided by xss_clean 
filter. When exploited by an external/internal attacker, such identified 
vulnerabilities could lead to Session Hijack, Information Disclosure, force 
installation of malicious file or Trojan on users' PCs, etc.

Due to implementation flaws affecting functions _remove_evil_attributes 
function flaw and xss_clean of CI_Security class, the internal XSS filter can 
be bypassed, thus allowing successful XSS attacks on products using either 
ExpressionEngine 2.2.2 or CodeIgniter 2.0.3.

_remove_evil_attributes function of CI_Security class allows detection and 
removal of 'evil' on* event attributes (e.g. onmouseover, onfocus, etc) from 
any HTML tag submitted as a parameter of GET or POST requests. By exploiting an 
implementation flaw identified in _remove_evil_attributes function, an attacker 
can inject XSS payloads relying on the use of 'evil' on* attributes, as shown 
below:
        
XSS injected payload: <a href=?#?onclick=?alert(1)?>" onclick="">

xss_clean 'filtered' output: <a href=?#>" onclick="">
 
xss_clean function includes functionality for replacing any detected ( ) 
characters with the corresponding HTML entities (&#40; ,  &#41; respectively). 
As stated by EllisLab developers, something like eval('some code') becomes 
eval&#40;'some code'&#41; and such rewritten code is harmless.

When the code to be sanitised is JavaScript and is part of an attribute of an 
HTML tag, replacing ( ) characters with corresponding HTML entities still 
allows successful execution of such JavaScript code by the browser. 

When the flaws affecting both _remove_evil_attributes function and xss_clean 
functions are exploited together, this allows successful injection and 
execution of common XSS attack payloads, as shown below:

XSS injected payload: <a href="#"onclick="alert(1)">" onclick="alert(2)">aa</a>

xss_clean 'filtered' output: <a href="#>" onclick="alert&#40;2&#41;">aa</a>


2. Affected Versions

EllisLab ExpressionEngine 2.2.2
EllisLab CodeIgniter 2.0.3


3. Mitigation
    
Vendor recommends upgrading to ExpressionEngine 2.3.0 or later, respectively to 
CodeIgniter 2.1.0 or later.  
 
4. Disclosure Timeline

2011, September 08: Vulnerabilities discovered and documented
2011, September 08: Notification sent to EllisLab
2011, September 08: Vulnerabilities confirmed by EllisLab
2011, October 11: EllisLab released ExpressionEngine 2.3.0
2011, November 14: EllisLab released CodeIgniter 2.1.0
2011, November 28: MVSA-11-013 advisory published.


MVSA-11-013
Dr. Marian Ventuneac

Prev by Date: ZDI-11-333 : RealNetworks RealPlayer ATRC Code Data Parsing Remote Code Execution Vulnerability
Next by Date: Security-Assessment.com Release: Hacking Hollywood Slides, Advisories and Exploits
Previous by thread: ZDI-11-333 : RealNetworks RealPlayer ATRC Code Data Parsing Remote Code Execution Vulnerability
Next by thread: Security-Assessment.com Release: Hacking Hollywood Slides, Advisories and Exploits
Index(es):
- Date
- Thread