what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ExpressionEngine 2.2.2 / CodeIgniter 2.0.3 Cross Site Scripting

ExpressionEngine 2.2.2 / CodeIgniter 2.0.3 Cross Site Scripting
Posted Nov 30, 2011
Authored by Dr. Marian Ventuneac

ExpressionEngine version 2.2.2 and CodeIgniter version 2.0.3 suffer from filter bypass and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2011-4025
SHA-256 | fdab17029ae48b80689e4ddd515edc23100d07a8f55741743dc18b289e5b7a22

ExpressionEngine 2.2.2 / CodeIgniter 2.0.3 Cross Site Scripting

Change Mirror Download

CVE: CVE-2011-4025
Vendor: EllisLab
Products: ExpressionEngine 2.2.2, CodeIgniter 2.0.3
Vulnerabilities: xss_clean filter bypass, leading to Cross-Site Scripting (XSS)
Risk: High
Attack Vector: From Remote
Reference: http://secureappdev.blogspot.com/2011/11/ellislab-xssclean-filter-bypass.html


1. Description

EllisLab ExpressionEngine 2.2.2 and CodeIgniter 2.0.3 were found vulnerable to various XSS attacks when relying on XSS protection provided by xss_clean filter. When exploited by an external/internal attacker, such identified vulnerabilities could lead to Session Hijack, Information Disclosure, force installation of malicious file or Trojan on users' PCs, etc.

Due to implementation flaws affecting functions _remove_evil_attributes function flaw and xss_clean of CI_Security class, the internal XSS filter can be bypassed, thus allowing successful XSS attacks on products using either ExpressionEngine 2.2.2 or CodeIgniter 2.0.3.

_remove_evil_attributes function of CI_Security class allows detection and removal of 'evil' on* event attributes (e.g. onmouseover, onfocus, etc) from any HTML tag submitted as a parameter of GET or POST requests. By exploiting an implementation flaw identified in _remove_evil_attributes function, an attacker can inject XSS payloads relying on the use of 'evil' on* attributes, as shown below:

XSS injected payload: <a href=”#”onclick=”alert(1)”>" onclick="">

xss_clean 'filtered' output: <a href=”#>" onclick="">

xss_clean function includes functionality for replacing any detected ( ) characters with the corresponding HTML entities (( , ) respectively). As stated by EllisLab developers, something like eval('some code') becomes eval('some code') and such rewritten code is harmless.

When the code to be sanitised is JavaScript and is part of an attribute of an HTML tag, replacing ( ) characters with corresponding HTML entities still allows successful execution of such JavaScript code by the browser.

When the flaws affecting both _remove_evil_attributes function and xss_clean functions are exploited together, this allows successful injection and execution of common XSS attack payloads, as shown below:

XSS injected payload: <a href="#"onclick="alert(1)">" onclick="alert(2)">aa</a>

xss_clean 'filtered' output: <a href="#>" onclick="alert(2)">aa</a>


2. Affected Versions

EllisLab ExpressionEngine 2.2.2
EllisLab CodeIgniter 2.0.3


3. Mitigation

Vendor recommends upgrading to ExpressionEngine 2.3.0 or later, respectively to CodeIgniter 2.1.0 or later.

4. Disclosure Timeline

2011, September 08: Vulnerabilities discovered and documented
2011, September 08: Notification sent to EllisLab
2011, September 08: Vulnerabilities confirmed by EllisLab
2011, October 11: EllisLab released ExpressionEngine 2.3.0
2011, November 14: EllisLab released CodeIgniter 2.1.0
2011, November 28: MVSA-11-013 advisory published.


MVSA-11-013
Dr. Marian Ventuneac
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close