AppSec Blog

Spot the Vuln - Fall - Cross Site Scripting


Affected Software: Cubed

Fixed in Version: 1.0 RC2

Issue Type: Cross Site Scripting

Original Code: Found Here


This week's patch is a good one. The code sample was basically a library that only contained functions. While there isn't a blatant vulnerability in the library, there is a startling function called "PrepDataForScript". Looking at PrepDataForScript, it's obvious this function is meant to provide some sanitization. Unfortunately, the routine isn't very robust. When you see things like the code snippet below, you know the developer is headed in the wrong direction:

$strData = str_replace("", "&lt/script&gt", $strData);

Fortunately, the Cubed developers were smart enough to realize that this function is dangerous and will probably lead to a false sense of security. Instead of trying to fix it up, they just removed the function entirely.

Developers Solution

<?php ...snip... function QcodoHandleError($__exc_errno, $__exc_errstr, $__exc_errfile, $__exc_errline, $blnExit = true) { // If a command is called with "@", then we should return if (error_reporting() == 0) return; if (class_exists('QApplicationBase')) QApplicationBase::$ErrorFlag = true; global $__exc_strType; if (isset($__exc_strType)) return; $__exc_strType = "Error"; $__exc_strMessage = $__exc_errstr; switch ($__exc_errno) { case E_ERROR: $__exc_strObjectType = "E_ERROR"; break; case E_WARNING: $__exc_strObjectType = "E_WARNING"; break; case E_PARSE: $__exc_strObjectType = "E_PARSE"; break; case E_NOTICE: $__exc_strObjectType = "E_NOTICE"; break; case E_STRICT: $__exc_strObjectType = "E_STRICT"; break; case E_CORE_ERROR: $__exc_strObjectType = "E_CORE_ERROR"; break; case E_CORE_WARNING: $__exc_strObjectType = "E_CORE_WARNING"; break; case E_COMPILE_ERROR: $__exc_strObjectType = "E_COMPILE_ERROR"; break; case E_COMPILE_WARNING: $__exc_strObjectType = "E_COMPILE_WARNING"; break; case E_USER_ERROR: $__exc_strObjectType = "E_USER_ERROR"; break; case E_USER_WARNING: $__exc_strObjectType = "E_USER_WARNING"; break; case E_USER_NOTICE: $__exc_strObjectType = "E_USER_NOTICE"; break; default: $__exc_strObjectType = "Unknown"; break; } $__exc_strFilename = $__exc_errfile; $__exc_intLineNumber = $__exc_errline; $__exc_strStackTrace = ""; $__exc_objBacktrace = debug_backtrace(); for ($__exc_intIndex = 0; $__exc_intIndex < count($__exc_objBacktrace); $__exc_intIndex++) { $__exc_objItem = $__exc_objBacktrace[$__exc_intIndex]; $__exc_strKeyFile = (array_key_exists("file", $__exc_objItem)) ? $__exc_objItem["file"] : ""; $__exc_strKeyLine = (array_key_exists("line", $__exc_objItem)) ? $__exc_objItem["line"] : ""; $__exc_strKeyClass = (array_key_exists("class", $__exc_objItem)) ? $__exc_objItem["class"] : ""; $__exc_strKeyType = (array_key_exists("type", $__exc_objItem)) ? $__exc_objItem["type"] : ""; $__exc_strKeyFunction = (array_key_exists("function", $__exc_objItem)) ? $__exc_objItem["function"] : ""; $__exc_strStackTrace .= sprintf("#%s %s(%s): %s%s%s()\n", $__exc_intIndex, $__exc_strKeyFile, $__exc_strKeyLine, $__exc_strKeyClass, $__exc_strKeyType, $__exc_strKeyFunction); } if (ob_get_length()) { $__exc_strRenderedPage = ob_get_contents(); ob_clean(); } // Call to display the Error Page (as defined in require(__DOCROOT__ . ERROR_PAGE_PATH); if($blnExit) exit; } -function PrepDataForScript($strData) { -$strData = str_replace("\", "\\", $strData); -$strData = str_replace("\n", "\n", $strData); -$strData = str_replace("\r", "\r", $strData); -$strData = str_replace("\"", "&quot;", $strData); -$strData = str_replace("</script>", "&lt/script&gt", $strData); -$strData = str_replace("</Script>", "&lt/script&gt", $strData); -$strData = str_replace("</SCRIPT>", "&lt/script&gt", $strData); -return $strData; -} ?>

Post a Comment


* Indicates a required field.