esotalk topic [img] xss vulnerability

Question

esotalk topic [img] xss vulnerability

evi1m0 opened this issue 10 years ago · 9 comments

[img][url=http://onclick=alert(document.cookie)//.com]http://www.hackersoul.com/image.jpg[/url][/img]

Answer 1 · 2014-12-26T17:54:26.000Z

can't reproduce

Answer 2 · 2014-12-27T03:54:50.000Z

http://esotalk.org/forum/1479-mass-email

Onmouseover image.

Answer 3 · 2014-12-27T09:52:06.000Z

Ok, works.

Answer 4 · 2015-01-05T19:00:47.000Z

Nice find, we'll have to figure out the best solution to prevent this.

Answer 5 · 2015-03-15T14:54:53.000Z

Guys, any chance that it's going to be fixed? I remind it's a security hole.

Answer 6 · 2015-03-16T08:58:13.000Z

Maybe use the PHP parse_url function? Simplest solution that comes to mind.

$parsedUrl = parse_url($url);
if ($parsedUrl !== false) { /* valid! */ }

Answer 7 · 2015-03-16T08:59:26.000Z

htmlspecialchars

Answer 8 · 2015-03-16T09:08:55.000Z

Or

$str = mb_convert_encoding($str, 'UTF-8', 'UTF-8');
$str = htmlentities($str, ENT_QUOTES, 'UTF-8');

See http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-inje

Answer 9 · 2015-03-27T02:25:12.000Z

One problem with proposed solutions is, as far as I can tell, onclick=alert(document.cookie)// are all valid characters within a URL. Filtering out any of those would potentially break valid URLs.

From glancing over the function, it seems like the simple way to solve this is to reorder the processing of BBCode so that images are processed before URLs. Then modify the regex of the [img] tag to check for valid protocols such as http/https at the beginning. I think this would prevent nesting of [img] tags, and then the URL parser would only run on URLs that are not wrapped in html.

I will do some testing on some solutions for this. I think the better way to solve this would be to replace the plugin with some 3rd party BBCode parser but that probably won't happen.