Bug #5609 :: BBCodeParser allows XSS

Package home | Report new bug | New search | Development Roadmap

Status: Open | Feedback | All | Closed Since Version 1.2.4

Bug #5609	BBCodeParser allows XSS
Submitted:	2005-10-05 15:33 UTC
From:	vanderaj at greebo dot net	Assigned:	dufuz
Status:	Closed	Package:	HTML_BBCodeParser
PHP Version:	5.0.4	OS:	MacOS X
Roadmaps:	(Not assigned)
Subscription	Your email:

Comments Add Comment Add patch

[2005-10-05 15:33 UTC] vanderaj at greebo dot net

Description:
------------
HTML_BBCodeParser fails to validate URL tags properly, and 
allows XSS through.

Test script:
---------------
This post here describes the identical issue in phpBB 2.0.14 and below. It affects HTML_BBCodeParser in *exactly* the same way - all the examples in this exploit work as described.

http://castlecops.com/t123194-.html

Expected result:
----------------
XSS in any of the supported attributes should not work.

Actual result:
--------------
XSS occurs. Try it and see.

Comments

[2005-10-05 17:52 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!

[2005-10-18 13:09 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!

[2006-12-29 10:51 UTC] andrei_nikolov at mail dot bg (Andrei Nikolov)

suggestion for fixing the bug:

adding new variable in the class:

     /**
     * Counter of closing [url] tags which must be left unparsed (XSS prevention)
     *
     * @access   private
     * @var      int
     */
    var $skipClosingTagsURL = 0;


...........
in function _buildParsedString():

            // opening tag
            case 1:
                //Prevents XSS attacks:
                if (($tag['tag'] == 'url' || $tag['tag'] == 'img') && preg_match('#(script|about|applet|activex|chrome):#is', $tag['text']))
                {
                    $this->_parsed .= $tag['text'];
                    if ($tag['tag'] == 'url')
                        $this->skipClosingTagsURL++;
                    
                    break;
                }


.........

            // closing tag
            case 2:
                if ($this->_definedTags[$tag['tag']]['htmlclose'] != '') {
                    if ($tag['tag'] == 'url' && $this->skipClosingTagsURL)
                    {
                        $this->_parsed .= $tag['text'];
                        $this->skipClosingTagsURL--;
                    }
                    else
                        $this->_parsed .= '</'.$this->_definedTags[$tag['tag']]['htmlclose'].'>';
                }
                break;


.......
    function parse()
    {
        $this->skipClosingTagsURL = 0;
        $this->_preparse();
        $this->_buildTagArray();
        $this->_validateTagArray();
        $this->_buildParsedString();
    }

[2007-06-03 18:18 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!

[2007-07-13 22:07 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!

[2007-07-14 00:12 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!

[2007-07-14 00:50 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!

[2007-07-14 02:00 UTC] User who submitted this comment has not confirmed identity

If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!