New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security::strip_image_tags bypass #107
Comments
|
Thanks for the security report @dsopas. Yeah, it seems it is indeed possible to inject an XSS vector, even though the img tag looks invalid HTML. I tested with a browser and the JS prompt runs. We could tweak the regex to include a test for a slash Thanks again. |
|
This is what I came up with, let me know if it is OK: #<img(?:/|\s)*[^>]*(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#ig |
|
Hi @enov , Here at Checkmarx we're improving our detection on Kohana framework and we detected that function. Good work! Best, |
|
It's possible to bypass again your protection. Using a special character (%0C) which I think it means a space you don't have to end the tag using >.
I don't know if this will work using copy paste in Github but you can see it working on jsfiddle: Using your updated code in my localhost I attached the screenshot. |
|
Or even simpler:
|
|
Thank you for your thorough research @dsopas. We highly appreciate your time and efforts to detect the security shortcomings of Kohana. I will try to come up with a better regex. Not a regex expert myself, but there are lots of online tools nowadays. Let me know if you are willing to issue a pull request yourself. |
|
In my opinion you should never rely on regex to parse HTML. There's always a way to bypass it. Let me know when you provide a fix so I can complete the Checkmarx security advisory. |
|
Thanks again @dsopas. Here's another regex: #<img/?\s*[^>/x{0C}]*(?=src\s*=)(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>/x{0C}]*)?(?:>|//|\x{0C})#isuIt's becoming more and more complicated and I understand that if we use regex there might always be a way to bypass it. We can deprecate and remove this method whole-together from the Security class, as there are other HTML tags that can can execute JavaScript and we do not have helper method for those. We can guide the users to sanitize their input against XSS using external libraries. By the way, is there a reference for all the quirky HTML tag structure that the browsers accept? Or is this original research? |
|
Here's an online shell test for it: |
|
I agree with your second option. Like I said regex is not the way to do it. If you still need to use, do what I wrote before. Grab src content only, sanitize it and construct the img yourself. |
|
@enov really try to do what I wrote before. Best, |
|
Hi @enov any updates on this issue? |
|
Hey @dsopas. Kindly leave the issue open. I might have some time next week to address it. |
|
Ok, no problem. Just keep me in the loop please. |
Deprecated for security reasons. See kohana/kohana#107 Users must be encouraged to use more secure and better maintained external libraries.
|
todo:
|
Related to Github issue kohana/kohana#107
|
@dsopas this has been done. Thank you for reporting this and sorry it took us so much time. |
|
No problem Samuel. Best, David Sopas On 18 August 2016 at 09:49, Samuel Demirdjian notifications@github.com
|
|
This issue was assigned CVE-2016-10510. |

Hi,
I found a security issue on your latest version.
In your security class – system/classes/Kohana/Security.php you have the following function to remove img tags from strings:
Just by looking at that regex it's possible to see that after <img it expects a space. So to bypass this you could use:
<img/src...
PHP example:
And it's still possible to inject a IMG on a string - in this case with a XSS vector.
Hope it helps.
Best,
David Sopas
Checkmarx.com
The text was updated successfully, but these errors were encountered: