Jump to content

XSS in Simple Script

jskrauss

By jskrauss
in PHP Coding Help

 Share

Recommended Posts

jskrauss Newbie

jskrauss

Posted
Posted

We have a simpel PHP script that is designed to only include the body portion of a page when doing a server side include. The dilema is it is failing our security audit to to an xss issue.

 

<?php
function StripBody($content){
preg_match('%<body.*>(.*)</body>%is', $content, $matches);
$matches=$matches[0];
$matches=preg_replace('%<.*body.*>%i','',$matches);
//$matches=str_replace(array("\n","\t","\r","  "),"",$matches);
$matches=str_replace(array("../"),"",$matches);
$matches=trim($matches);
return $matches;
}



if(file_exists("../includes/$_REQUEST[p]")){
$inp=file_get_contents("../includes/$_REQUEST[p]");	
echo "<!-- include $_REQUEST[p] BEGIN -->\n";
if($_REQUEST['lb']==1){
	echo '<a href="#" class="lbAction" rel="deactivate">Close</a>';
}	
echo StripBody($inp);
if($_REQUEST['lb']==1){
	echo '<a href="#" class="lbAction" rel="deactivate">Close</a>';
}	
echo "\n<!-- include $_REQUEST[p] END-->\n";
}else{
echo '[<i>' . $_REQUEST['p'] . '</i>]';	
}
?>

 

The problem according to the security audit is a hacker could in theory add ?p=<script>alert(document.cookie)</script><iframe%20width=800%20height=600%20src=http://www.intrudersdomainname.com></iframe>&lb=1 to the URL and have their content displayed on our page or run other scripts.

 

The issue is stripping that information out of the value for p

 

Ive tried strip_tags but since p is defined as a constant it does not work.

 

 

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

How is it defined as a constant...here is a solution to try.

 

<?php
function StripBody($content){
preg_match('%<body.*>(.*)</body>%is', $content, $matches);
$matches=$matches[0];
$matches=preg_replace('%<.*body.*>%i','',$matches);
//$matches=str_replace(array("\n","\t","\r","  "),"",$matches);
$matches=str_replace(array("../"),"",$matches);
$matches=trim($matches);
return $matches;
}

$p = strip_tags($_REQUEST['p']);

if(file_exists("../includes/$p")){
$inp=file_get_contents("../includes/p");	
echo "<!-- include $p BEGIN -->\n";
if($_REQUEST['lb']==1){
	echo '<a href="#" class="lbAction" rel="deactivate">Close</a>';
}	
echo StripBody($inp);
if($_REQUEST['lb']==1){
	echo '<a href="#" class="lbAction" rel="deactivate">Close</a>';
}	
echo "\n<!-- include $p END-->\n";
}else{
echo '[<i>' . $p . '</i>]';	
}
?>

 

See what that does for you.

Link to comment
Share on other sites
jskrauss Newbie

jskrauss

Posted
  • Author
Posted

I replaced my file with the suggested content and wound up with the following (directory structure altered for security purposes in this post) :

 

 Ford Focus

Warning: file_get_contents(../includes/p) [function.file-get-contents]: failed to open stream: No such file or directory in /removed/removed/public_html/_php/include.php on line 15

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.