Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SanitizeCSS is bypassable #2

Open
soaj1664 opened this issue Jul 7, 2014 · 11 comments
Open

SanitizeCSS is bypassable #2

soaj1664 opened this issue Jul 7, 2014 · 11 comments

Comments

@soaj1664
Copy link

soaj1664 commented Jul 7, 2014

Hi,

The function

confusa/lib/misc/input.php

Line 78 in 9e32af0

static function sanitizeCSS($input)
you are using for SanitizeCSS is bypassable and is vulnerable to an XSS.

e.g., the following attack vector will bypass it ..

width:expression(alert(1))

The regular expression only looks for word URL and small parenthesis ...

Thanks!
@henrikau
Copy link
Owner

henrikau commented Jul 8, 2014

Thanks for the report, I'll attend to it :)

Henrik

@soaj1664
Copy link
Author

soaj1664 commented Jul 8, 2014

@henrikau May I suggest a better and unbreakable solution for CSS or style context if you would like :)

@henrikau
Copy link
Owner

henrikau commented Jul 8, 2014

On Tue, Jul 08, 2014 at 03:29:07AM -0700, Ashar Javed wrote:

@henrikau May I suggest a better and unbreakable solution for CSS or
style context if you would like :)

Hi,

You are more than welcome to provide a patch and if it looks sane I'm than
happy to apply it.

Also; github is moreof a backup-site, assembla [1] is the main repository
where the wiki is. We also have a mailing-list
([email protected]) [2] and an irc-channel #confusa@freenode. Feel
free to join any or all. :)

  1. https://www.assembla.com/wiki/show/confusa
  2. https://postlister.uninett.no/sympa_confusa/info/confusa-dev

Henrik Austad

@soaj1664
Copy link
Author

soaj1664 commented Jul 8, 2014

@henrikau Here you go:

https://gist.github.com/soaj1664/2aab2c9ae51cf433aed3

It is very simple but bullet proof :) No one can execute JavaScript in style context if that function is in use. Some weeks ago I had announced a 1000USD XSS challenge and had recorded 78K+ XSS attack attempts and no bypass in any context ... see http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/

Let me know when you will integrate this function ... or as per your requirement you can easily modify it ...

@soaj1664
Copy link
Author

@henrikau I am waiting for your reply. What is your take on it after looking at the code ...

@henrikau
Copy link
Owner

I'm currently on holiday without access to my systems. Please send a patch
to [email protected] and if no one replies, I'll look at it next
week.

Henrik
On 10 Jul 2014 17:14, "Ashar Javed" [email protected] wrote:

@henrikau https://github.com/henrikau I am waiting for your reply. What
is your take on it after looking at the code ...


Reply to this email directly or view it on GitHub
#2 (comment).

@soaj1664
Copy link
Author

@henrikau I will wait until next week so that you will be back :) Enjoy your vacations ...

@soaj1664
Copy link
Author

@henrikau Hi again. I hope you are back from vacations :) Looking forward for the patch...

@soaj1664
Copy link
Author

@henrikau Any update? Are you planning to integrate the code or leave the idea? Thanks!

henrikau pushed a commit that referenced this issue Aug 14, 2014
update sanitizeCSS to ensure no javascript injection occurs, see #2
379d93e
@thijskh
Copy link

thijskh commented Aug 18, 2014

Fixed in Confusa 0.8.6.

@soaj1664
Copy link
Author

@thijskh Great ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@henrikau @soaj1664 @thijskh