-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS example page #1
Comments
QCubed Framework 2.2 Development Release (QCubed 2.2) Error Type: E_USER_WARNING Source File: /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php Line: 179 Line 174: // need to give global permissions Call Stack: #0 (): QcodoHandleError() Variable Dump: Show/Hide COOKIE_ENV_FILES_GET_POSTarray ( ', 'SERVER_SOFTWARE' => 'Apache/2.2.14 (Ubuntu)', 'SERVER_NAME' => 'examples.qcu.be', 'SERVER_ADDR' => '72.10.39.96', 'SERVER_PORT' => '80', 'REMOTE_ADDR' => '88.191.228.204', 'DOCUMENT_ROOT' => '/var/www/examples.qcu.be/htdocs', 'SERVER_ADMIN' => '[no address given]', 'SCRIPT_FILENAME' => '/var/www/examples.qcu.be/htdocs/assets/_core/php/examples/basic_qform/xss.php', 'REMOTE_PORT' => '60083', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'SERVER_PROTOCOL' => 'HTTP/1.0', 'REQUEST_METHOD' => 'POST', 'QUERY_STRING' => '', 'REQUEST_URI' => '/assets/_core/php/examples/basic_qform/xss.php', 'SCRIPT_NAME' => '/assets/_core/php/examples/basic_qform/xss.php', 'PHP_SELF' => '/assets/_core/php/examples/basic_qform/xss.php', 'REQUEST_TIME' => 1365586043, )configPath Error Report Generated: Wednesday, April 10 2013, 2:27:24 AM |
I've seen an error on a ParsePostData function as well. Laurent |
I am not getting the problem and things are working fine. Please check again. |
OK it seemed at first glance to work like a charm, First - QCrossScripting::Deny isn't working for me with that injection : <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie); > On chrome and on FF it pops up my cookie (alert), that's pretty fun because the <img src="javascript:alert(document.cookie);"> tag fire the right XSS violation Exception. (<audio src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> and <video src="http://url.to.file.which/not.exist" onerror=alert("xss");> work as well) I think that the onError event isn't handled properly.. Second - on chrome only QCrossScripting::Deny does not block this tag : <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"> Hope this help Laurent |
Plus, it's also possible to post an entire form through this control, I put this : </span><form method="POST" action="#" name="upload" class="form-horizontal well" id="myForm"><input type="file" name="myfile"><input type="button" value="test"></form><span> and checked through firebug and action + method attribute are set. I'm wondering if this is normal behavior ? Laurent |
@LX-3 Thanks for pointing them out. I will try to get this done as soon as possible. Yes, those two cases are not handled properly due to the built-in method QCubed uses for CrossScripting filters in Deny mode. Regards |
@LX-3 it was me who did the chmod 777 for /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer |
@LX-3 that is why (your reports) it is recommended to use an industry-standard solutions like htmlpurifier. use QCrossScripting::HTMLPurifier to be secure with qcubed. |
Is this an issue we should file under framework for QCrossScripting? There doesn't seem to be anything wrong with the examples site itself. |
Hello everyone !
I'm wondering if the behavior is normal on this example page :
http://examples.qcu.be/assets/_core/php/examples/basic_qform/xss.php.
I get many errors even if I put just "test" in the first textbox..
Regards,
Laurent
The text was updated successfully, but these errors were encountered: