[solved] Quickpoll 1.8.1 XSS

Printable View

07/15/2010, 08:56
warrior

[solved] Quickpoll 1.8.1 XSS

Hi!
I found XSS voulnerability in your extension Quickpoll v.1.8.1. (didn't try with older versions).
Some screenshots:
http://img35.imageshack.us/img35/3336/85604884.png
http://img35.imageshack.us/i/85604884.png/

http://img24.imageshack.us/img24/9600/80798247.png
http://img24.imageshack.us/f/80798247.png/

Hope it will be fixed ASAP... :evil:
07/15/2010, 09:37
thyon

Re: Quickpoll 1.8.1 XSS

If I knew how to fix it, I would. I'm using a normal call $this->addToUrl(), which means shouldn't that be protected rather, as I'm just adding something to the current URL, which you could change in a number of ways..
07/15/2010, 10:00
thyon

Re: Quickpoll 1.8.1 XSS

I'm going to submit a defect for addToUrl since it goes back to the $_GET parameters, which it shouldn't actually do, since Contao uses the $this->Input->get('a'); function to screen XSS attacks out. I've modified the function in FrontEnd.php to test and this seems to work:

Code:

protected function addToUrl($strRequest, $blnIgnoreParams=false) { $arrGet = $blnIgnoreParams ? array() : $_GET; // <<=== THE PROBLEM .. .. foreach ($arrGet as $k=>$v) { $vv = $this->Input->get($k); // <<=== THE FIX $strParams .= $GLOBALS['TL_CONFIG']['disableAlias'] ? '&' . $k . '=' . $vv : '/' . $k . '/' . $vv; } .. }

This is not only a problem for Quickpoll, but any extension using this function.
07/15/2010, 10:21
warrior

Re: Quickpoll 1.8.1 XSS

Thanks for your quick response.
07/15/2010, 11:33
thyon

Re: Quickpoll 1.8.1 XSS

Please undo the FrontEnd suggestion I've made. I've rather added the fix into an overridden method inside the module. I've added the fixes to this method override in both module files (2 files). You can just update/fix the Repository extension.
07/15/2010, 12:21
warrior

Re: Quickpoll 1.8.1 XSS

Ok - look like all works fine now.