[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MVSA-11-013 - EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: MVSA-11-013 - EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter
- From: marian.ventuneac@xxxxxxxxx
- Date: Mon, 28 Nov 2011 23:57:47 GMT
CVE: CVE-2011-4025
Vendor: EllisLab
Products: ExpressionEngine 2.2.2, CodeIgniter 2.0.3
Vulnerabilities: xss_clean filter bypass, leading to Cross-Site Scripting (XSS)
Risk: High
Attack Vector: From Remote
Reference:
http://secureappdev.blogspot.com/2011/11/ellislab-xssclean-filter-bypass.html
1. Description
EllisLab ExpressionEngine 2.2.2 and CodeIgniter 2.0.3 were found vulnerable to
various XSS attacks when relying on XSS protection provided by xss_clean
filter. When exploited by an external/internal attacker, such identified
vulnerabilities could lead to Session Hijack, Information Disclosure, force
installation of malicious file or Trojan on users' PCs, etc.
Due to implementation flaws affecting functions _remove_evil_attributes
function flaw and xss_clean of CI_Security class, the internal XSS filter can
be bypassed, thus allowing successful XSS attacks on products using either
ExpressionEngine 2.2.2 or CodeIgniter 2.0.3.
_remove_evil_attributes function of CI_Security class allows detection and
removal of 'evil' on* event attributes (e.g. onmouseover, onfocus, etc) from
any HTML tag submitted as a parameter of GET or POST requests. By exploiting an
implementation flaw identified in _remove_evil_attributes function, an attacker
can inject XSS payloads relying on the use of 'evil' on* attributes, as shown
below:
XSS injected payload: <a href=?#?onclick=?alert(1)?>" onclick="">
xss_clean 'filtered' output: <a href=?#>" onclick="">
xss_clean function includes functionality for replacing any detected ( )
characters with the corresponding HTML entities (( , ) respectively).
As stated by EllisLab developers, something like eval('some code') becomes
eval('some code') and such rewritten code is harmless.
When the code to be sanitised is JavaScript and is part of an attribute of an
HTML tag, replacing ( ) characters with corresponding HTML entities still
allows successful execution of such JavaScript code by the browser.
When the flaws affecting both _remove_evil_attributes function and xss_clean
functions are exploited together, this allows successful injection and
execution of common XSS attack payloads, as shown below:
XSS injected payload: <a href="#"onclick="alert(1)">" onclick="alert(2)">aa</a>
xss_clean 'filtered' output: <a href="#>" onclick="alert(2)">aa</a>
2. Affected Versions
EllisLab ExpressionEngine 2.2.2
EllisLab CodeIgniter 2.0.3
3. Mitigation
Vendor recommends upgrading to ExpressionEngine 2.3.0 or later, respectively to
CodeIgniter 2.1.0 or later.
4. Disclosure Timeline
2011, September 08: Vulnerabilities discovered and documented
2011, September 08: Notification sent to EllisLab
2011, September 08: Vulnerabilities confirmed by EllisLab
2011, October 11: EllisLab released ExpressionEngine 2.3.0
2011, November 14: EllisLab released CodeIgniter 2.1.0
2011, November 28: MVSA-11-013 advisory published.
MVSA-11-013
Dr. Marian Ventuneac