Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.2.4

Bug #14579 security risc: javascript code injection is possible
Submitted: 2008-08-29 10:36 UTC
From: netsrac Assigned:
Status: Open Package: HTML_BBCodeParser (version 1.2.2)
PHP Version: 5.2.6 OS: Debian
Roadmaps: (Not assigned)    

 [2008-08-29 10:36 UTC] netsrac (Carsten Skrbensky)
Description: ------------ With the current parser its possible to insert and run javascriptcode in a parsed bb-code text. Big problem is the handling of tag-attribudes like color. following changes css-code for example [color=;padding:3px;border-width:XYZ] With these changes you could place a tranceparent gif over the whole page where every click starts a javascript routine... [color='eventhandler='javascript][/color] [img]adresse'eventhandler='javascript[/img] With that it is easily possible to create worms in communitys using bb-code where the visitor of the modified profile get his own bode. using [font]attribure with 0px height you can even hide the code in a profil. This Bug is also listet here but the fix there is not a realy solution Find the function _buildParsedString() in BBCodeParser.php Find the line with foreach ($tag['attributes'] as $a => $v) { and add following lines $v = str_replace("(", '', $v); $v = str_replace(")", '', $v); $v = @preg_replace("/[^a-zA-Z0-9.,\/:~#-\_]/", "", $v); $v = str_replace("'", '"', $v); This removes ( ) and some other chars from all attributes of the tag. I know that this is just the quick n dirty way, but i needed a fast solution so let no javascript get run.