XSS example page

[LX-3]

Hello everyone !

I'm wondering if the behavior is normal on this example page :

http://examples.qcu.be/assets/_core/php/examples/basic_qform/xss.php.

I get many errors even if I put just "test" in the first textbox..
Regards,

Laurent

[LX-3]

QCubed Framework 2.2 Development Release (QCubed 2.2)
An Error Occurredclose
Error in PHP Script /assets/_core/php/examples/basic_qform/xss.php
Directory /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer not writable, please chmod to 777

Error Type: E_USER_WARNING

Source File: /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php Line: 179

Line 174: // need to give global permissions
Line 175: $chmod = $chmod | 0777;
Line 176: }
Line 177: trigger_error('Directory '.$dir.' not writable, '.
Line 178: 'please chmod to ' . decoct($chmod),
Line 179: E_USER_WARNING);
Line 180: } else {
Line 181: // generic error message
Line 182: trigger_error('Directory '.$dir.' not writable, '.
Line 183: 'please alter file permissions',
Line 184: E_USER_WARNING);

Call Stack:

#0 (): QcodoHandleError()
#1 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php(179): trigger_error()
#2 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php(135): HTMLPurifier_DefinitionCache_Serializer->_testPermissions()
#3 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php(54): HTMLPurifier_DefinitionCache_Serializer->_prepareDir()
#4 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator.php(57): HTMLPurifier_DefinitionCache_Serializer->cleanup()
#5 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php(37): HTMLPurifier_DefinitionCache_Decorator->cleanup()
#6 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/Config.php(403): HTMLPurifier_DefinitionCache_Decorator_Cleanup->get()
#7 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/Config.php(330): HTMLPurifier_Config->getDefinition()
#8 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/Generator.php(65): HTMLPurifier_Config->getHTMLDefinition()
#9 /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier.php(127): HTMLPurifier_Generator->__construct()
#10 /var/www/examples.qcu.be/htdocs/includes/qcubed/_core/base_controls/QTextBoxBase.class.php(137): HTMLPurifier->purify()
#11 /var/www/examples.qcu.be/htdocs/includes/qcubed/_core/base_controls/QFormBase.class.php(261): QTextBoxBase->ParsePostData()
#12 /var/www/examples.qcu.be/htdocs/assets/_core/php/examples/basic_qform/xss.php(145): QFormBase::Run()

Variable Dump: Show/Hide

COOKIE_ENV_FILES_GET_POSTarray (
'c1' => 'test',
'c4' => 'test',
'c7' => 'test',
'c10' => 'test',
'c13' => 'test',
'Qform__FormState' => '51653061ea222_1',
'Qform__FormId' => 'ExamplesForm',
'Qform__FormControl' => 'c15',
'Qform__FormEvent' => 'QClickEvent#a5',
'Qform__FormParameter' => '',
'Qform__FormCallType' => 'Ajax',
'Qform__FormUpdates' => '',
'Qform__FormCheckableControls' => '',
)REQUEST_SERVERarray (
'UNIQUE_ID' => 'UWUwe0gKJ2AAACSwcoIAAAAH',
'HTTP_HOST' => 'examples.qcu.be',
'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0',
'HTTP_ACCEPT' => '/',
'HTTP_ACCEPT_LANGUAGE' => 'en-US,en;q=0.5',
'CONTENT_TYPE' => 'application/x-www-form-urlencoded; charset=UTF-8',
'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest',
'CONTENT_LENGTH' => '254',
'HTTP_COOKIE' => 'SESSdbd0d8e32998e36b1ddea35cccda542a=jon0htk0g6qm2g7qbp782eqgn0; __utma=189883307.1592465276.1363969493.1365413573.1365511899.5; __utmz=189883307.1363969493.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=gpf43ad48jjvvb5p2jtj661fa2',
'HTTP_DNT' => '1',
'HTTP_PRAGMA' => 'no-cache',
'HTTP_CACHE_CONTROL' => 'no-cache, max-age=259200',
'HTTP_CONNECTION' => 'keep-alive',
'PATH' => '/usr/local/bin:/usr/bin:/bin',
'SERVER_SIGNATURE' => '

Apache/2.2.14 (Ubuntu) Server at examples.qcu.be Port 80
',
'SERVER_SOFTWARE' => 'Apache/2.2.14 (Ubuntu)',
'SERVER_NAME' => 'examples.qcu.be',
'SERVER_ADDR' => '72.10.39.96',
'SERVER_PORT' => '80',
'REMOTE_ADDR' => '88.191.228.204',
'DOCUMENT_ROOT' => '/var/www/examples.qcu.be/htdocs',
'SERVER_ADMIN' => '[no address given]',
'SCRIPT_FILENAME' => '/var/www/examples.qcu.be/htdocs/assets/_core/php/examples/basic_qform/xss.php',
'REMOTE_PORT' => '60083',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'REQUEST_METHOD' => 'POST',
'QUERY_STRING' => '',
'REQUEST_URI' => '/assets/_core/php/examples/basic_qform/xss.php',
'SCRIPT_NAME' => '/assets/_core/php/examples/basic_qform/xss.php',
'PHP_SELF' => '/assets/_core/php/examples/basic_qform/xss.php',
'REQUEST_TIME' => 1365586043,
)configPath

Error Report Generated: Wednesday, April 10 2013, 2:27:24 AM
PHP Version: 5.3.2-1ubuntu4.18; Zend Engine Version: 2.3.0; QCubed Version: 2.2 Development Release (QCubed 2.2)
Application: Apache/2.2.14 (Ubuntu); Server Name: examples.qcu.be
HTTP User Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0

[LX-3]

I've seen an error on a ParsePostData function as well.
Hope this could help :/
Regards,

Laurent

[vaibhav-kaushal]

I am not getting the problem and things are working fine. Please check again.

[LX-3]

OK it seemed at first glance to work like a charm,
BUT, though I can't reproduce what happened and I dunno what was this exception in the first place, I've got another problem :

First - QCrossScripting::Deny isn't working for me with that injection :

<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);

> On chrome and on FF it pops up my cookie (alert), that's pretty fun because the <img src="javascript:alert(document.cookie);"> tag fire the right XSS violation Exception.

(<audio src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> and <video src="http://url.to.file.which/not.exist" onerror=alert("xss");> work as well)

I think that the onError event isn't handled properly..

Second - on chrome only QCrossScripting::Deny does not block this tag :

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">

Hope this help
Regards,

Laurent

[LX-3]

Plus, it's also possible to post an entire form through this control, I put this :

</span><form method="POST" action="#" name="upload" class="form-horizontal well" id="myForm"><input type="file" name="myfile"><input type="button" value="test"></form><span>

and checked through firebug and action + method attribute are set. I'm wondering if this is normal behavior ?
Regards,

Laurent

[vaibhav-kaushal]

@LX-3 Thanks for pointing them out. I will try to get this done as soon as possible. Yes, those two cases are not handled properly due to the built-in method QCubed uses for CrossScripting filters in Deny mode.

Regards

[olegabr]

@LX-3 it was me who did the chmod 777 for /var/www/examples.qcu.be/htdocs/includes/external_libraries/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer
I've not seen your report, just re-found the same error myself.

[olegabr]

@LX-3 that is why (your reports) it is recommended to use an industry-standard solutions like htmlpurifier. use QCrossScripting::HTMLPurifier to be secure with qcubed.

[scottux]

Is this an issue we should file under framework for QCrossScripting? There doesn't seem to be anything wrong with the examples site itself.