 Symfony Security issue - XSS attack on form helpers [message #3872] |
Mon, 13 March 2006 23:19  |
|
Synopsis
--------
Symfony's input_tag form helper is vulnerable to cross site scripting attacks.
Affected Versions
-----------------
0.6, latest beta.
Possibly older versions too.
Description
-----------
The input_tag will display a value received in the request without sanitising it's content. More information on XSS can be found here - http://en.wikipedia.org/wiki/Cross_site_scripting.
A ticket for this bug has been opened on trac.
Impact
------
By exploiting the cross-site scripting vulnerabilities, an attacker can execute arbitrary scripts running in the context of the victim's browser. The severity of this issue will vary on a site to site basis.
Workaround
----------
Currently there is work arround.
Example
-------
http://www.askeet.com/search?search=test%22%3E%3Cscript%3Eal ert('XSS');%3C%2Fscript%3E%3Ci
[Updated on: Mon, 13 March 2006 23:43]
http://shurl.net - the only URL shortening service written with symfony!
|
|
|
| Re: Symfony Security issue - XSS attack on form helpers [message #3894 is a reply to message #3872 ] |
Tue, 14 March 2006 12:34  |
b4pro2
Messages: 56
Registered: December 2005 |
Member |
|
|
which ticket are you referring to? I was not able to find it...
cheers
Kai
|
|
|
|
| Re: Symfony Security issue - XSS attack on form helpers [message #3900 is a reply to message #3872 ] |
Tue, 14 March 2006 14:22 |
|
this is not a validation issue - even if you fail validation on a form element for invalid content the value can still be injected via the URL.
This *is* s security issue in symfony and every application written in it that uses the form helpers.
http://shurl.net - the only URL shortening service written with symfony!
|
|
|
|
| Re: Symfony Security issue - XSS attack on form helpers [message #3902 is a reply to message #3901 ] |
Tue, 14 March 2006 16:49 |
|
By default, the form helpers repopulate from request variables. By default these are not escaped, therefore, by default, these fields can be attacked in the way I showed.
I've proven this attack on more then just the askeet site.
The problem here is the form helpers default behaviour can, and will lead to XSS issues on websites written in symfony.
http://shurl.net - the only URL shortening service written with symfony!
|
|
|
|
|
| Re: Symfony Security issue - XSS attack on form helpers [message #3907 is a reply to message #3904 ] |
Tue, 14 March 2006 18:25 |
webdev
Messages: 19
Registered: October 2005 |
Junior Member |
|
|
Hello,
I don't believe the answer is to remove the form repopulation, but rather to add a set of filters to the helpers.
I have been using PEAR::Quickform for many years, before I moved to Symfony.
http://pear.php.net/manual/en/package.html.html-quickform.ph p
Quickform utilizes a series of filters to take care of such issues:
"QuickForm can also make use of filters for data import into the form or for data processing once the form has been submitted. Filters work the same way as rules except that you don't need to register them. You write your filter functions and call them in your script. You can call any php function (ie. trim, addslashes, htmlentities, etc.) and have them applied recursively to your element values."
It is as simple as::
$this->form->applyFilter('__ALL__', 'trim');
$this->form->applyFilter('__ALL__', 'strip_tags');
I recommend adding a set of filters in, that can be used either on the entire POST/GET
$this->form->applyFilter('__ALL__', 'strip_tags');
or individually on a single form element like
$this->form->applyFilter('first_name', 'strip_tags');
Paul
|
|
|
|
|
|
|
|
| Re: Symfony Security issue - XSS attack on form helpers [message #3945 is a reply to message #3923 ] |
Wed, 15 March 2006 13:07 |
|
if you don't think it's a big deal you really should go learn about XSS problems. Read the wikipeadia page.
http://shurl.net - the only URL shortening service written with symfony!
|
|
|
|
|
| Re: Symfony Security issue - XSS attack on form helpers [message #3954 is a reply to message #3953 ] |
Wed, 15 March 2006 14:21 |
|
infact, you could use GET to inject JS that then submits things via 'AJAX' as a post.
http://shurl.net - the only URL shortening service written with symfony!
|
|
|
|
| Re: Symfony Security issue - XSS attack on form helpers [message #4030 is a reply to message #4029 ] |
Fri, 17 March 2006 19:29 |
 tamcy
Messages: 222
Registered: February 2006
Location: Hong Kong |
Faithful Member |
|
|
A quick fix would be :
Open symfony_library_dir/helper/FormHelper.php,
find function input_tag which should look like this:
function input_tag($name, $value = null, $options = array())
{
if ($value === null && isset($options['type']) && $options['type'] == 'password')
{
$value = null;
}
else if (($reqvalue = _get_request_value($name)) !== null)
{
$value = $reqvalue;
}
return tag('input', array_merge(array('type' => 'text', 'name' => $name, 'id' => $name, 'value' => $value), _convert_options($options)));
}
change
to
$value = htmlspecialchars($reqvalue);
This is meant to fix the double quote issue, but should also fix XSS problem.
|
|
|
|
|
|
|
Members
Search
FAQ
Register
Login
Home
. I tried this on my on site. If Fabien doesn't beat me to it, I will remove all of the repopulation from the helpers. A new stable release should probably be set up as well.
.
]