Skip to content

fixing xss in exhibits editor#10

Open
Alexeyan wants to merge 1 commit into
Indexhibit:masterfrom
Alexeyan:master
Open

fixing xss in exhibits editor#10
Alexeyan wants to merge 1 commit into
Indexhibit:masterfrom
Alexeyan:master

Conversation

@Alexeyan

@Alexeyan Alexeyan commented Jan 4, 2018

Copy link
Copy Markdown

The exhibits of this cms don't really sanitize the userinput for javascript code, allowing potential XSS to happen. A potential target for XSS could be the ndxz_access and ndxz_hash cookies, allowing an attacker to steal cookies and impersonate other users.

This fix is only exemplary for simple javascript tags in the text editor. I would recommend including a anti-xss library and sanitizing every user input.

Best regards,
Alex

@Vaska

Vaska commented Jan 4, 2018

Copy link
Copy Markdown
Collaborator

Thanks Alexeyan - I can use help in this area. There is some santization at the PHP end of things but perhaps it's not wholly sufficient. I'll have a look and merge this soon. ;)

@Alexeyan

Alexeyan commented Jan 4, 2018

Copy link
Copy Markdown
Author

I would recommend using a maintained xss-filter package. Like this one for example
https://github.com/cure53/DOMPurify
and use it on every user-submitted input field.

@Zegnat

Zegnat commented Feb 22, 2019

Copy link
Copy Markdown

A potential target for XSS could be the ndxz_access and ndxz_hash cookies, allowing an attacker to steal cookies and impersonate other users.

The proper solution to this is probably to mark session cookies HttpOnly. We are talking compatibility all the way back to IE6 here, this is not new. Cookies that are marked HttpOnly cannot be read by JavaScript and are thus pretty safe from being read through XSS.

For PHP this is the session.cookie-httponly configuration value, and can also be set through the more easily accessible (from Indexhibit’s side) session_set_cookie_params-function:

$currentSettings = session_get_cookie_params();
session_set_cookie_params(
    $currentSettings['lifetime'],
    $currentSettings['path'],
    $currentSettings['domain'],
    $currentSettings['secure'], // Secure (cf. https://www.owasp.org/index.php/SecureFlag)
    true                        // HttpOnly
);

(I was just scrolling by and thought I’d drop this in. Been a long time since I looked at Indexhibit, maybe it is about time again.)

@Vaska

Vaska commented Feb 22, 2019 via email

Copy link
Copy Markdown
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants