| 2012-09-26 16:18:13 |
Uranium235 |
description |
The function sanitize() in functions.all.php does not escape properly. Backslashes need to be escaped before escaping the single quotes.
Right now it is possible to inject and run php code. I do not know exactly if it is possible for an attacker to exploit the vulnerability without having admin (write) access first in the standard installation. But I imagine that plugins may exist - at least in the future - that use this function and allow non admin users to store information (like a guestbook) and potentially exploit the vulnerability.
Besides that it is possible to break the pluck installation for an admin when using the combination of single quote with an preceding backslash as field value.
Example
save the following to a page in tinymce html mode:
<a href="#" title="\';phpinfo();$x=\'">test</a>
fix:
function sanitize($var, $html = true) {
$var = str_replace('\\', '\\\\', $var);
$var = str_replace('\'', '\\\'', $var);
if ($html == true)
$var = htmlspecialchars($var, ENT_COMPAT, 'UTF-8', false);
return $var;
} |
The function sanitize() in functions.all.php does not escape properly. Backslashes need to be escaped before escaping the single quotes.
Right now it is possible to inject and run php code. I do not know exactly if it is possible for an attacker to exploit the vulnerability without having admin (write) access first in the standard installation. But I imagine that plugins may exist - at least in the future - that use this function and allow non admin users to store information (like a guestbook) and potentially exploit the vulnerability.
Besides that it is possible to break the pluck installation for an admin when using the combination of single quote with an preceding backslash as field value.
Example
save the following to a page in tinymce html mode:
<a href="#" title="\';phpinfo();?>">test</a>
fix:
function sanitize($var, $html = true) {
$var = str_replace('\\', '\\\\', $var);
$var = str_replace('\'', '\\\'', $var);
if ($html == true)
$var = htmlspecialchars($var, ENT_COMPAT, 'UTF-8', false);
return $var;
} |
|
