Skip to content
Permalink
Browse files

Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
   the administrator in manage_custom_field_edit_page.php when the
   keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
   the [Proceed] link on manage_custom_field_update.php after updating
   a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
  field
- let html_operation_successful() sanitize the URL before displaying
  it, just like html_meta_redirect() does. In this case, if the
  string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes #20956
  • Loading branch information...
dregad committed May 27, 2016
1 parent ecd1261 commit 11ab3d6c82a1d3a89b1024f77349fb60a83743c5
Showing with 2 additions and 2 deletions.
  1. +1 −1 core/html_api.php
  2. +1 −1 manage_custom_field_edit_page.php
@@ -647,7 +647,7 @@ function html_operation_successful( $p_redirect_url, $p_message = '' ) {
}
echo lang_get( 'operation_successful' ).'<br />';
print_bracket_link( $p_redirect_url, lang_get( 'proceed' ) );
print_bracket_link( string_sanitize_url( $p_redirect_url ), lang_get( 'proceed' ) );
echo '</div>';
}
@@ -73,7 +73,7 @@
<legend><span><?php echo lang_get( 'edit_custom_field_title' ) ?></span></legend>
<?php echo form_security_field( 'manage_custom_field_update' ); ?>
<input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" />
<input type="hidden" name="return" value="<?php echo $f_return ?>" />
<input type="hidden" name="return" value="<?php echo string_attribute( $f_return ); ?>" />
<div class="field-container">
<label for="custom-field-name"><span><?php echo lang_get( 'custom_field_name' ) ?></span></label>
<span class="input"><input type="text" id="custom-field-name" name="name" size="32" maxlength="64" value="<?php echo string_attribute( $t_definition['name'] ) ?>" /></span>

0 comments on commit 11ab3d6

Please sign in to comment.
You can’t perform that action at this time.