AppSec Blog

Spot the Vuln - Character - Cross Site Scripting

Details

Affected Software: PhotoSmash

Fixed in Version: 1.0.5

Issue Type: Cross Site Scripting (XSS)

Original Code: Found Here

Description

Once again, we see the familiar pattern of the developer taking user/attacker controlled values and using those values to build HTML markup. Line 76 is the start of a large echo statement which writes a couple input fields to markup. The developer uses the $_REQUEST[?bwbps_galname'] variable to populate the value attribute for one of the input form fields. Although not completely clear from the code snippet, the developers addressed this issue by placing an encoded version of $_REQUEST[?bwbps_galname'] into a variable named $gallery_name and using the newly encoded value to build the HTML markup.

Although not addressed by this patch, there are a couple of areas that deserve deeper inspection. For example, on line 113 the application is calling a javascript eval on an unknown function. If this function contains user/attacker supplied content, this could result in XSS. Additionally, on line 136 it seems the user/attacker has some influence on variables passed to a SWF object. If the SWF doesn't have the appropriate logic to handle the tainted data, this could result in a security vulnerability.

Developers Solution

<?php ...snip... //Get a link for the Start Slideshow for PicLens function getPicLensLink($g, $atts){ if($atts['link_text']){ $link_text = $atts['link_text']; } else { $link_text = 'Start Slideshow <img src="http://lite.piclens.com/images/PicLensButton.png" alt="PicLens" width="16" height="12" border="0" align="absmiddle">'; } $picatts['id'] = $g['gallery_id']; $picatts['thumb_width'] = $g['thumb_width']; $picatts['thumb_height'] = $g['thumb_height']; $picatts['gallery_type'] = $g['gallery_type']; $picatts['images'] = $g['images']; $picatts['page'] = $g['page']; if($g['tags'] == 'post_tags'){ $picatts['tags'] = $this->getPostTags(0); } else { $picatts['tags'] = $g['tags']; } $param_array = $this->filterMRSSAttsFromArray($picatts, ""); if( is_array($param_array)){ $params = implode("&", $param_array); //$params = urlencode($params); } $ret = '<a class="piclenselink" href="javascript:PicLensLite.start({feedUrl:\" . plugins_url() . '/photosmash-galleries/bwbps-media-rss.php?' . $params . '\'});"> ' . $link_text . ' </a> '; return $ret; } function getPostTags($post_id){ if(!$post_id ){ global $wp_query; $post_id = $wp_query->post->ID; } $terms = wp_get_object_terms( $post_id, 'post_tag', $args ) ; if(is_array($terms)){ foreach( $terms as $term ){ $_terms[] = $term->name; } unset($terms); if( is_array($_terms)){ $ret = implode("," , $_terms); } else { $ret = ""; } } return $ret; } /*SECTION: Media Uploader Integration * Media Uploader Integration for Admin -> Photo Manager uploading images * */ function mediaUAddGalleryFieldToMediaUploader(){ if(isset($_REQUEST['bwbps_galid']) && (int)$_REQUEST['bwbps_galid']){ echo "<input type='hidden' id='bwbps_mediau_galid' name='bwbps_mediau_galid' value='" . (int)$_REQUEST['bwbps_galid'] . "' /> <input type='hidden' id='bwbps_galid' name='bwbps_galid' value='" . (int)$_REQUEST['bwbps_galid'] . "' /> -<input type='hidden' name='bwbps_galname' value='" . $_REQUEST['bwbps_galname'] . "' /> -<div style='background-color: #eaffdf; padding: 5px; border: 1px solid #a0a0a0; margin: 3px; font-size: 14px; color: #333;'>Adding to PhotoSmash: " . $_REQUEST['bwbps_galname'] . "</div> +<input type='hidden' name='bwbps_galname' value='" . $gallery_name . "' /> +<div style='background-color: #eaffdf; padding: 5px; border: 1px solid #a0a0a0; margin: 3px; font-size: 14px; color: #333;'>Adding to PhotoSmash: " . $gallery_name . "</div> "; } else { $gid = isset($_REQUEST['bwbps_mediau_galid']) ? (int)$_REQUEST['bwbps_mediau_galid'] : 0; $galleryDDL = $this->getGalleryDDL($gid, "select gallery", "", "bwbps_mediau_galid", 30, true, true); echo "<div style='padding: 5px; margin: 3px; font-size: 14px; color: #333;'>Add to PhotoSmash: $galleryDDL</div>"; } } function mediaUAddGalleryFieldToFlashUploader(){ ?> <script type="text/javascript"> if (typeof flashStartUploadFunctions == 'undefined'){ var flashStartUploadFunctions = []; function addFlashStartUploadFunction( funct_name ){ flashStartUploadFunctions.push( funct_name ); } function runFlashStartUploadFunctions(){ if( flashStartUploadFunctions.length > 0 ){ var bwbfunc; for( bwbfunc in flashStartUploadFunctions){ eval(flashStartUploadFunctions[ bwbfunc ]); } } } } addFlashStartUploadFunction( 'bwbpsAddGalleryToFlashUploader();' ); jQuery(window).load( function() { swfu.settings.upload_start_handler = function(){ runFlashStartUploadFunctions(); } }); function bwbpsAddGalleryToFlashUploader(){ jQuery('#bwbps_uploaded_images', top.document).show().append('<h4>Flash upload...preview not available.</h4>'); var gid = jQuery("#bwbps_mediau_galid_flash").val() + ""; if( gid ){ swfu.addPostParam('bwbps_mediau_galid', gid); <?php if(isset($_REQUEST['bwbps_galid']) ){ ?> swfu.addPostParam('bwbps_galid', gid); <?php } ?> } } </script> <?php if(isset($_REQUEST['bwbps_galid']) && (int)$_REQUEST['bwbps_galid']){ $this->count++; echo " <script type='text/javascript'> jQuery(window).load( function() { //Hide the other Media Tabs jQuery('#tab-type_url').hide(); jQuery('#tab-library').hide();"; ...snip... ?>

Post a Comment






Captcha


* Indicates a required field.