XSS Vulnerability

Background

dadaIMC is content management software for the development of an Independent Media Center site.

Description

All pre-.99 dadaIMC versions are subject to a potential Cross-Site Scripting exploit that allows anonymous users to enter code when submitting a form that will redirect the browser window to a site of their choice. While much of the submission handling code closes many such exploits, there are a few unprotected aspects of the code.

The exploit currently being used involves users posting an <iframe> tag in the title or header field of a newswire Article or OtherPress submission. Current versions of dadaIMC do not strip <iframe> tags from submissions, so the user can use such input to redirect the browser window to e.g., neo-nazi sites.

Analysis

Exploitation allows selective redirects of the compromised site to arbitrary web sites. By placing javascript code within an HTML tag into a form field, an attacker could create new windows or redirect the entire page to a new site.

Detection

All versions of dadaIMC prior to .99 are susceptible to this vulnerability.

Workaround

The file imc_classes/imc_FunctionLibrary.inc contains a function called cleantext() that attempts to strip out malicious tags from user submissions. It needs to be modified to include <iframe> tags, so it should look as follows:

function cleantext($str,$strlang=false) {
   $str = rtrim($str);
   // remove all harmful tags
   $stripsearch = array("'<head[^>]*?>.*?</head>'si",   // Strip out javascript
               "'<!DOCTYPE[^>]*?>'si",            // Strip out doctype
               "'<script[^>]*?>.*?</script>'si",   // Strip out javascript
               "'<iframe[^>]*?>.*?</iframe>'si",   // Strip out iframes
               "'<iframe[^>]*?>'si",            // Strip out iframes
               "'<bgsound[^>]*?>'si",            // Strip out iframes
               "'<meta[^>]*?>'si",               // Strip out meta tags
               "'<form[^>]*?>.*?</form>'si",      // Strip out forms
               "'<object[^>]*?>.*?</object>'si",   // Strip out objects
               "'<embed[^>]*?>.*?</embed>'si",      // Strip out embeds
               "'<applet[^>]*?>.*?</applet>'si",   // Strip out applets
               "'</?body[^>]*?>'i",            // Strip out body tags
               "'</?html>'i",                  // Strip out html tag
               );
   $stripreplace = "";
   $returnstr = preg_replace($stripsearch,$stripreplace,$str);
   $changearr = array("\r"=>"\n",
      "\r\n"=>"\n",
      "\n\n\n" => "\n\n",
      "  "=>" ",
      "<?"=>"<?",
      "#exec"=>"itriedtohackthis",
      "<meta"=>"<meta",
      "<script"=>"<script",
      "<iframe"=>"<iframe",
      "<form"=>"<form",
      "<object"=>"<object",
      "<embed"=>"<embed",
      "javascript:"=>"",
      "onclick"=>"",
      "ondblclick"=>"",
      "onmousedown"=>"",
      "onmouseup"=>"",
      "onmouseover"=>"",
      "onmousemove"=>"",
      "onmouseout"=>"",
      "onkeypress"=>"",
      "onkeydown"=>"",
      "onkeyup"=>""
      );
   $returnstr = strtr($returnstr,$changearr);
   return $returnstr;
}

The read_args() functions in class object files (imc_Article.inc, imc_OtherPress.inc, imc_Media.inc, imc_User.inc) should be reviewed to ensure that any user-submitted data is run through the cleantext() function before setting class properties. For example, the read_args() function for imc_OtherPress.inc should be modified to read:

function read_args() {
   $this->read_object_args();
   if (!empty($_POST)) extract($_POST);
   if (isset($form_section)) $this->set_section(cleantext($form_section));
   if (isset($form_parentid) && is_numeric($form_parentid)) $this->set_parentid($form_parentid);
   if (isset($form_category_ids)) $this->set_category_ids($form_category_ids);
   if (isset($form_author)) $this->set_author(cleantext($form_author));
   if (isset($form_heading)) $this->set_heading(cleantext($form_heading));
   if (isset($form_summary)) $this->set_summary(cleantext($form_summary));
   if (isset($form_organization)) $this->set_organization(cleantext($form_organization));
   if (isset($form_link)) $this->set_link(normalizeURL(cleantext($form_link)));
}

For additional security, you could add a bit of code to ensure that parameters being received by the server are of the exepected type. For example, any variable that is expected to be numeric, such as parentid, could be handled by code like

if (isset($form_parentid) && is_numeric($form_parentid)) {
   $this->set_parentid($form_parentid);
}

Patch

File patch (dadaIMC_98_2_patches.tar.gz)

Timeline

2004-10-18 Exploit discovered on numerous dadaIMC sites 2004-10-19 Patch/workaround provided

Credit

Anonymous hackers used exploit