Page 1 of 2
1 2
Show 40 post(s) from this thread on one page

Youjoomla Support Forums (http://www.youjoomla.com/joomla_support/index.php)
-   YouGrids (http://www.youjoomla.com/joomla_support/forumdisplay.php?f=171)
-   -   XSS handling extended protection (YouGrids 1.5 & 1.6) (http://www.youjoomla.com/joomla_support/showthread.php?t=8629)

octavian 07-04-2011 03:34 AM
XSS handling extended protection (YouGrids 1.5 & 1.6)
 
Hello,

I have sent an email a month ago but I have not received any reply since.

We have recently come across a few customers using your templates who are experiencing difficulties when using our product, RSForm! Pro. The XSS protection found in:
yougrids/yjsgcore/yjsg_core.php
doesn't take into account the fact that $_POST/$_GET are multi-dimensional arrays. preg_replace works for arrays as long as they are not multi-dimensional (more than one level).

Below is a proof of concept:

PHP Code:
<?php
$array = array(
    'level_1' => array(
        'level_2' => 'test'
    )
);

print_r($array);

$new_array preg_replace('#t#''x'$array);

print_r($new_array);
Will output:
Code:

Array
(
    [level_1] => Array
        (
            [level_2] => test
        )

)
Array
(
    [level_1] => Array
)
RSForm! Pro stores submitted data in $_POST['form'] and the XSS protection you provide always empties $_POST['form']. I think the same should be valid for regular checkboxes, I'm not sure, I haven't tested.

The following lines should be edited:

PHP Code:
$_POST preg_replace("|([^\w\s\'])|i",'',$_POST);
$_GET preg_replace("|([^\w\s\'])|i",'',$_GET); 

neo 07-04-2011 06:11 AM
you can advise your customers to comment the lines out if they find an issue with them, we had our security team test the lines and yes empty the submitted data after send due to XSS issue , even if the preg is used on multi levels it would empty the data from your forms out , but again if your customers have issue with them have them comment the lines out on their own responsibility

octavian 07-04-2011 07:20 AM
Hello,

I think I have given a perfect example above that there's a bug in your templates that you should solve. It has nothing to do with the XSS protection - it has to do with the way you use preg_replace. It empties multi-level arrays just because preg_replace does not work with multi-level arrays. This is regardless if the regex matches anything or not.

neo 07-04-2011 10:26 AM
yes understand , that was introduced as precaution measure for basic level attack , not on template but on joomla , but i see what you mean by multiple levels , the issue is with many 3rd party extension, if we use the full measure the template users might not be able to use some of the extensions , il test the new code and advise of possible change. thnx for testing and sorry if i came on strong.

neo 07-05-2011 04:41 AM
OK we have a new addition to the code which will now cover multi-dimensional arrays

First upload yjsg_validate.php file ( extract the attached zip ) to

templates/template_name/yjsgcore/ folder


than in templates/template_name/yjsgcore/yjsg_core.php

replace lines
Code:

       
Code:

       
$_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
$_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);


with
Code:
require( TEMPLATEPATH.DS."yjsgcore/yjsg_validate.php");
yjsg_validate_data('post');
yjsg_validate_data('get');




@octavian, if you care to test and see if there is any issues with your extensions that would be appreciated. Once again thnx for the info and your time

octavian 07-05-2011 07:29 AM
Hello,

I've made some tests and the function produced some inconsistencies when dealing with multi-level arrays. I've provided below a function that should be simple enough to not create any issues:
PHP Code:
function yjsg_validate_data (&$array)
{
    if (is_array($array))
        foreach ($array as $key => $value)
            yjsg_validate_data($array[$key]);
    else
        $array preg_replace("|([^\w\s\'])|i",'',$array);

You will have to edit templates/template_name/yjsgcore/yjsg_core.php and use:
PHP Code:
require_once(TEMPLATEPATH.DS."yjsgcore/yjsg_validate.php");
yjsg_validate_data($_POST);
yjsg_validate_data($_GET); 
PS: The code you've provided uses eval() on user input, with some intelligent request crafting a malicious user could have compromised the security of the website.

neo 07-05-2011 10:05 AM
thank you much , will do some more testing . I removed my attachment for time being until we get this squared away.

octavian 07-06-2011 02:31 AM
Glad to be of help! Anything for the good of our common customers :)
Have a good day!

neo 07-13-2011 06:55 AM
Just to inform you , the addon code was tested and is going in to core. I'l add small thank you in to the file notes.

neo 07-13-2011 07:05 AM
1 Attachment(s)
OK here is full addon


for extended XSS protection please add

file name yjsg_validate.php in to templates/template_name/yjsgcore folder (download and unzip attachment )

open file name templates/template_name/yjsgcore/yjsg_core.php

and replace lines

PHP Code:
$_GET preg_replace("|([^\w\s\'])|i",'',$_GET);
$_POST preg_replace("|([^\w\s\'])|i",'',$_POST); 
with


PHP Code:
require_once(TEMPLATEPATH.DS."yjsgcore/yjsg_validate.php");
yjsg_validate_data($_POST);
yjsg_validate_data($_GET); 


All times are GMT -4. The time now is 01:39 PM.
Page 1 of 2
1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.