…dded csrftoken to fix postential CSRF attack
- Loading branch information
There are no files selected for viewing
6 comments
on commit bfc6c80
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's an annoying bug. I wonder why after all these years, others have not noted this. Any suggestion, besides wrapping any instance in htmlspecialchars().
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
globally redefine superglobals that use htmlspecialchars(). That way you wont have to patch each and every file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my test cases using a simple php file the javascript ran via PHP_SELF, however in ATutor I'm not able to get it to work. I tested with install_modules.php, and a few other admin tools. It breaks at line 170, include/header.inc.php when attaching script to install_modules.php:
/"><script>alert("test")</script>
https://github.com/atutor/ATutor/blob/master/include/header.inc.php#L170
It seems $_SERVER['PHP_SELF'] is being interpreted as a filename, and since it is not in the list of valid pages ($_pages[$current_page]), it redirects to a non-existant page. The template file you pointed to in your example above (install_modules.tmpl.php) would never be accessed directly by a user.
Are you able to point out a specific case where the PHP_SELF XSS occurs, not using a template file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, header.php does that check and 302's the user, but there templates that do not do this. For example: ATutor/themes/simplified_desktop/social/basic_profile.tmpl.php/"><script>alert(1)</script>
In fact, we are writing a patch for you in class right now.
Also, why do you think the templates would not be directly accessed? is there a .htaccess installed by default? If it is accessed by a logged in administrator, sent from an unauthenicated user, then the admin access will work and cookies/session can be hijacked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Working on a patch. That's Awesome!
ATutor users would not normally access the templates directly, but if there was a CSRF going on, the hacker could point to a template. That I see now.
Looking foward to the patch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this line is a XSS vulnerability. Its the "echo $_SERVER['PHP_SELF']" that is the vulnerable code. So, /ATutor/themes/default/admin/modules/install_modules.tmpl.php/">[JS CODE HERE] should work...