Recent Changes - Search:
PITS /

01030: XSS vuln in forms.php

Summary: XSS vuln in forms.php
Created: 2008-06-24 14:44
Status: Closed - fixed for 2.2.0-beta68
Category: Bug
From: Greg Grimes
Assigned:
Priority: 5555
Version: 2.1.27 and higher
OS: Linux/Apache/5.2.4

Description: At line 238 there is a serious XSS vulnerability. By not escaping anything or stripping HTML out of the "action" the Wiki can be used to execute client side code. To solve this issue I changed the following lines in forms.php: 

SDVA($InputTags['auth_form'], array(
  ':html' => "<form action='{$_SERVER['REQUEST_URI']}' method='post'
    name='authform'>\$PostVars"));

to: 

$strippedAction = htmlentities(strip_tags($_SERVER['REQUEST_URI']), ENT_QUOTES);
SDVA($InputTags['auth_form'], array(
  ':html' => "<form action='\$strippedAction' method='post'
    name='authform'>\$PostVars"));

Also, please look at any other use of $_SERVER['REQUEST_URI'] and be sure to use strip_tags and htmlentities, or any other way of sanitizing input.

Question

How could possibly the current $_SERVER['REQUEST_URI'] variable be a serious cross-site scripting vulnerability for anyone else than the browser which is calling the login form with an invalid url (non-stripped tags...)? What exactly client-side code could be the executed? Thanks. --Petko June 25, 2008, at 05:40 PM

EDIT

I also found another place that had input not sanitized. This is in pmwiki.php at line 1549. I replaced: 

  SDV($AuthPromptFmt,array(&$PageStartFmt,
    "<p><b>$[Password required]</b></p>
      <form name='authform' action='{$_SERVER['REQUEST_URI']}' method='post'>
        $[Password]: <input tabindex='1' type='password' name='authpw'
          value='' />
        <input type='submit' value='OK' />\$PostVars</form>
        <script language='javascript' type='text/javascript'><!--
          document.authform.authpw.focus() //--></script>", &$PageEndFmt));

with: 

  $strippedAction = htmlentities(strip_tags($_SERVER['REQUEST_URI']), ENT_QUOTES);
  SDV($AuthPromptFmt,array(&$PageStartFmt,
    "<p><b>$[Password required]</b></p>
      <form name='authform' action='\$strippedAction' method='post'>
        $[Password]: <input tabindex='1' type='password' name='authpw'
          value='' />
        <input type='submit' value='OK' />\$PostVars</form>
        <script language='javascript' type='text/javascript'><!--
          document.authform.authpw.focus() //--></script>", &$PageEndFmt));

Array
(
    [post_max_size] => 64M
    [$_POST keys] => 
    [$_REQUEST keys] => n
    [$_SERVER] => Array
        (
            [CONTEXT_DOCUMENT_ROOT] => /home/pmwiki/public_html
            [CONTEXT_PREFIX] => 
            [DOCUMENT_ROOT] => /home/pmwiki/public_html
            [GATEWAY_INTERFACE] => CGI/1.1
            [HTTPS] => on
            [HTTP_ACCEPT] => */*
            [HTTP_ACCEPT_ENCODING] => gzip, br, zstd, deflate
            [HTTP_HOST] => www.pmwiki.org
            [HTTP_REFERER] => http://www.pmwiki.org/wiki/PITS/01030
            [HTTP_USER_AGENT] => Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
            [HTTP_X_HTTPS] => 1
            [PATH] => /bin:/usr/bin
            [PHP_INI_SCAN_DIR] => /opt/cpanel/ea-php70/root/etc:/opt/cpanel/ea-php70/root/etc/php.d:.
            [QUERY_STRING] => n=PITS%2f01030
            [REDIRECT_HTTPS] => on
            [REDIRECT_QUERY_STRING] => n=PITS%2f01030
            [REDIRECT_SCRIPT_URI] => https://www.pmwiki.org/wiki/PITS/01030
            [REDIRECT_SCRIPT_URL] => /wiki/PITS/01030
            [REDIRECT_SSL_TLS_SNI] => www.pmwiki.org
            [REDIRECT_STATUS] => 200
            [REDIRECT_UNIQUE_ID] => afLZP6VcL7PW0CzBJ_CmtwAAAFE
            [REDIRECT_URL] => /wiki/PITS/01030
            [REMOTE_ADDR] => 216.73.216.31
            [REMOTE_PORT] => 31304
            [REQUEST_METHOD] => GET
            [REQUEST_SCHEME] => https
            [REQUEST_URI] => /wiki/PITS/01030
            [SCRIPT_FILENAME] => /home/pmwiki/public_html/index.php
            [SCRIPT_NAME] => /index.php
            [SCRIPT_URI] => https://www.pmwiki.org/wiki/PITS/01030
            [SCRIPT_URL] => /wiki/PITS/01030
            [SERVER_ADDR] => 23.254.203.248
            [SERVER_ADMIN] => webmaster@pmwiki.org
            [SERVER_NAME] => www.pmwiki.org
            [SERVER_PORT] => 443
            [SERVER_PROTOCOL] => HTTP/1.1
            [SERVER_SIGNATURE] => 
            [SERVER_SOFTWARE] => Apache
            [SSL_TLS_SNI] => www.pmwiki.org
            [TZ] => America/Los_Angeles
            [UNIQUE_ID] => afLZP6VcL7PW0CzBJ_CmtwAAAFE
            [PHP_SELF] => /index.php
            [REQUEST_TIME_FLOAT] => 1777523007.2643
            [REQUEST_TIME] => 1777523007
            [argv] => Array
                (
                    [0] => n=PITS%2f01030
                )

            [argc] => 1
        )

)