Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS example page #1

Open
LX-3 opened this issue Apr 10, 2013 · 9 comments
Open

XSS example page #1

LX-3 opened this issue Apr 10, 2013 · 9 comments

Comments

@LX-3
Copy link

LX-3 commented Apr 10, 2013

Hello everyone !

I'm wondering if the behavior is normal on this example page :

http://examples.qcu.be/assets/_core/php/examples/basic_qform/xss.php.

I get many errors even if I put just "test" in the first textbox..
Regards,

Laurent

@LX-3
Copy link
Author

LX-3 commented Apr 10, 2013

QCubed Framework 2.2 Development Release (QCubed 2.2)
An Error Occurredclose
Error in PHP Script /assets/_core/php/examples/basic_qform/xss.php
Directory /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer not writable, please chmod to 777

Error Type: E_USER_WARNING

Source File: /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php Line: 179

Line 174: // need to give global permissions
Line 175: $chmod = $chmod | 0777;
Line 176: }
Line 177: trigger_error('Directory '.$dir.' not writable, '.
Line 178: 'please chmod to ' . decoct($chmod),
Line 179: E_USER_WARNING);
Line 180: } else {
Line 181: // generic error message
Line 182: trigger_error('Directory '.$dir.' not writable, '.
Line 183: 'please alter file permissions',
Line 184: E_USER_WARNING);

Call Stack:

#0 (): QcodoHandleError()
#1 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php(179): trigger_error()
#2 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php(135): HTMLPurifier_DefinitionCache_Serializer->_testPermissions()
#3 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php(54): HTMLPurifier_DefinitionCache_Serializer->_prepareDir()
#4 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator.php(57): HTMLPurifier_DefinitionCache_Serializer->cleanup()
#5 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php(37): HTMLPurifier_DefinitionCache_Decorator->cleanup()
#6 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/Config.php(403): HTMLPurifier_DefinitionCache_Decorator_Cleanup->get()
#7 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/Config.php(330): HTMLPurifier_Config->getDefinition()
#8 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/Generator.php(65): HTMLPurifier_Config->getHTMLDefinition()
#9 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier.php(127): HTMLPurifier_Generator->__construct()
#10 /var/www/examples.qcu.be/htdocs/includes/qcubed/_core/base_controls/QTextBoxBase.class.php(137): HTMLPurifier->purify()
#11 /var/www/examples.qcu.be/htdocs/includes/qcubed/_core/base_controls/QFormBase.class.php(261): QTextBoxBase->ParsePostData()
#12 /var/www/examples.qcu.be/htdocs/assets/_core/php/examples/basic_qform/xss.php(145): QFormBase::Run()

Variable Dump: Show/Hide

COOKIE_ENV_FILES_GET_POSTarray (
'c1' => 'test',
'c4' => 'test',
'c7' => 'test',
'c10' => 'test',
'c13' => 'test',
'Qform__FormState' => '51653061ea222_1',
'Qform__FormId' => 'ExamplesForm',
'Qform__FormControl' => 'c15',
'Qform__FormEvent' => 'QClickEvent#a5',
'Qform__FormParameter' => '',
'Qform__FormCallType' => 'Ajax',
'Qform__FormUpdates' => '',
'Qform__FormCheckableControls' => '',
)REQUEST_SERVERarray (
'UNIQUE_ID' => 'UWUwe0gKJ2AAACSwcoIAAAAH',
'HTTP_HOST' => 'examples.qcu.be',
'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0',
'HTTP_ACCEPT' => '
/
',
'HTTP_ACCEPT_LANGUAGE' => 'en-US,en;q=0.5',
'CONTENT_TYPE' => 'application/x-www-form-urlencoded; charset=UTF-8',
'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest',
'CONTENT_LENGTH' => '254',
'HTTP_COOKIE' => 'SESSdbd0d8e32998e36b1ddea35cccda542a=jon0htk0g6qm2g7qbp782eqgn0; __utma=189883307.1592465276.1363969493.1365413573.1365511899.5; __utmz=189883307.1363969493.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=gpf43ad48jjvvb5p2jtj661fa2',
'HTTP_DNT' => '1',
'HTTP_PRAGMA' => 'no-cache',
'HTTP_CACHE_CONTROL' => 'no-cache, max-age=259200',
'HTTP_CONNECTION' => 'keep-alive',
'PATH' => '/usr/local/bin:/usr/bin:/bin',
'SERVER_SIGNATURE' => '

Apache/2.2.14 (Ubuntu) Server at examples.qcu.be Port 80
',
'SERVER_SOFTWARE' => 'Apache/2.2.14 (Ubuntu)',
'SERVER_NAME' => 'examples.qcu.be',
'SERVER_ADDR' => '72.10.39.96',
'SERVER_PORT' => '80',
'REMOTE_ADDR' => '88.191.228.204',
'DOCUMENT_ROOT' => '/var/www/examples.qcu.be/htdocs',
'SERVER_ADMIN' => '[no address given]',
'SCRIPT_FILENAME' => '/var/www/examples.qcu.be/htdocs/assets/_core/php/examples/basic_qform/xss.php',
'REMOTE_PORT' => '60083',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'REQUEST_METHOD' => 'POST',
'QUERY_STRING' => '',
'REQUEST_URI' => '/assets/_core/php/examples/basic_qform/xss.php',
'SCRIPT_NAME' => '/assets/_core/php/examples/basic_qform/xss.php',
'PHP_SELF' => '/assets/_core/php/examples/basic_qform/xss.php',
'REQUEST_TIME' => 1365586043,
)configPath

Error Report Generated: Wednesday, April 10 2013, 2:27:24 AM
PHP Version: 5.3.2-1ubuntu4.18; Zend Engine Version: 2.3.0; QCubed Version: 2.2 Development Release (QCubed 2.2)
Application: Apache/2.2.14 (Ubuntu); Server Name: examples.qcu.be
HTTP User Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0

@LX-3
Copy link
Author

LX-3 commented Apr 10, 2013

I've seen an error on a ParsePostData function as well.
Hope this could help :/
Regards,

Laurent

@vaibhav-kaushal
Copy link
Member

I am not getting the problem and things are working fine. Please check again.

@LX-3
Copy link
Author

LX-3 commented May 5, 2013

OK it seemed at first glance to work like a charm,
BUT, though I can't reproduce what happened and I dunno what was this exception in the first place, I've got another problem :

First - QCrossScripting::Deny isn't working for me with that injection :

<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);

> On chrome and on FF it pops up my cookie (alert), that's pretty fun because the <img src="javascript:alert(document.cookie);"> tag fire the right XSS violation Exception.

(<audio src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> and <video src="http://url.to.file.which/not.exist" onerror=alert("xss");> work as well)

I think that the onError event isn't handled properly..

Second - on chrome only QCrossScripting::Deny does not block this tag :

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">

Hope this help
Regards,

Laurent

@LX-3
Copy link
Author

LX-3 commented May 6, 2013

Plus, it's also possible to post an entire form through this control, I put this :

</span><form method="POST" action="#" name="upload" class="form-horizontal well" id="myForm"><input type="file" name="myfile"><input type="button" value="test"></form><span>

and checked through firebug and action + method attribute are set. I'm wondering if this is normal behavior ?
Regards,

Laurent

@vaibhav-kaushal
Copy link
Member

@LX-3 Thanks for pointing them out. I will try to get this done as soon as possible. Yes, those two cases are not handled properly due to the built-in method QCubed uses for CrossScripting filters in Deny mode.

Regards

@olegabr
Copy link
Member

olegabr commented May 25, 2013

@LX-3 it was me who did the chmod 777 for /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer
I've not seen your report, just re-found the same error myself.

@olegabr
Copy link
Member

olegabr commented May 25, 2013

@LX-3 that is why (your reports) it is recommended to use an industry-standard solutions like htmlpurifier. use QCrossScripting::HTMLPurifier to be secure with qcubed.

@scottux
Copy link
Member

scottux commented Sep 23, 2013

Is this an issue we should file under framework for QCrossScripting? There doesn't seem to be anything wrong with the examples site itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants