Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple possible XSS vulnerabilities #2010

Closed
enferas opened this issue Dec 25, 2022 · 4 comments
Closed

Multiple possible XSS vulnerabilities #2010

enferas opened this issue Dec 25, 2022 · 4 comments

Comments

@enferas
Copy link

enferas commented Dec 25, 2022

Hello,

I would like to report for some XSS vulnerabilities.

For example,

'telefone' is saved in the DB, then it is retrieved and printed in the view.

In file mapos-master\application\controllers\Clientes.php

$data = [
    //...
    'telefone' => $this->input->post('telefone'),
    //...
];
if ($this->clientes_model->edit('clientes', $data, 'idClientes', $this->input->post('idClientes')) == true) {
      //....
  }
    public function edit($table, $data, $fieldID, $ID)
    {
        $this->db->where($fieldID, $ID);
        $this->db->update($table, $data);

        if ($this->db->affected_rows() >= 0) {
            return true;
        }

        return false;
    }

In file mapos-master\application\controllers\Relatorios.php

$data['clientes'] = $this->Relatorios_model->clientesCustom($dataInicial, $dataFinal, $this->input->get('tipocliente'));
//...
$data['topo'] = $this->load->view('relatorios/imprimir/imprimirTopo', $data, true);
public function clientesCustom($dataInicial = null, $dataFinal = null, $tipo = null)
{
    $whereData = '';
    if ($dataInicial != null) {
        $whereData .= "AND dataCadastro >= " . $this->db->escape($dataInicial);
    }
    if ($dataFinal != null) {
        $whereData .= "AND dataCadastro <= " . $this->db->escape($dataFinal);
    }
    if ($tipo != null) {
        $whereData .= "AND fornecedor = " . $this->db->escape($tipo);
    }
    $query = "SELECT * FROM clientes WHERE dataCadastro $whereData ORDER BY nomeCliente";

    return $this->db->query($query, [$dataInicial, $dataFinal])->result();
}

In file

 <?php foreach ($clientes as $c) : ?>
 <td align="center"><?= $c->telefone ?></td>

Another example,

In file mapos-master\application\views\arquivos\arquivos.php

<input type="text" name="pesquisa" id="pesquisa" placeholder="Digite o nome do documento para pesquisar" class="span12" value="<?= $this->input->get('pesquisa') ?>">

If you agree with the vulnerabilities, I will report the other vulnerabilities.

@enferas enferas added the bug label Dec 25, 2022
@RamonSilva20
Copy link
Owner

Hello.

Thank you for the warning.

The sanitization is done by the framework.

Were you able to inject a script?

@enferas
Copy link
Author

enferas commented Dec 26, 2022

Thank you for your response.

The default configuration in CodeIgniter after running the composer doesn't do the sanitization.

So after running the command composer install --no-dev, I checked the configuration and I found.

/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
| WARNING: This feature is DEPRECATED and currently available only
|          for backwards compatibility purposes!
|
*/
$config['global_xss_filtering'] = FALSE;

Thus, if the developer run the composer then use the application without changing the configuration, he will face many XSS vulnerabilities in the application.

The other option is to force that the sanitization should be applied at the input. Post in CI

$this->input->post('key', TRUE); // XSS Clean
$this->input->post('key', FALSE); // No XSS filter

Finally, CodeIgniter mention that Global XSS Filtering is DEPRECATED and it is better to apply the sanitization at the output not the input. XSS filtering in CI

Important: The ‘global_xss_filtering’ setting is DEPRECATED and kept solely for backwards-compatibility purposes. XSS escaping should be performed on output, not input!

@enferas
Copy link
Author

enferas commented Dec 29, 2022

@RamonSilva20

Hello,

If you agree with me that if the user will run the composer then the xss filer configuration will be FALSE.
For this reason, I provide the current pull request which will sanitize all the input even if global_xss_filtering is FALSE.

#2015

@github-actions
Copy link

Esta issue está obsoleta porque está aberta há 30 dias sem atividade. Remova o rótulo ou esse comentário ou essa issue será fechada em 5 dias

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants