Remote cross-site scripting (XSS) attack vulnerability in FirstLastNames 1.3.2 Plugin Fixed?
In my search for a possible GitHub repository for FirstLastNames plugin I turned up instead a page of search results almost all about a vulnerability in the plugin that was identified a month after it latest release (date of the finding May 2012; last update for the plugin April 2012). I found it best described here: http://50.97.85.250-static.reverse.softlayer.com/show/osvdb/82081
It is old, but I couldn't find anything in Vanilla forums addressing this possible vulnerability, so I thought I would double check and make sure it is known, and is no longer a problem.
This page http://www.farlight.org/index.html?author=Henry---Hoggard seemed to give a way to test the vulnerability.
QUOTE FROM POST ON http://www.farlight.org/index.html?author=Henry---Hoggard
# Title: Vanilla FirstLastNames 1.3.2 Plugin Persistant XSS Vulnerability # Date: 18/5/12 # Author: Henry Hoggard # Author URL: henryhoggard.co.uk # Author Twitter: @henryhoggard # Software: Vanilla Version 2.0.18.4 + FirstLastNames 1.3.2 http://vanillaforums.org/addon/firstlastnames-plugin # http://vanillaforums.org ############################################################# On Edit your account enter your XSS String in either the first name or last name field. Then if a user visits your page the XSS will execute. http://target.tld/index.php?p=/profile/myprofile/1/user XSS: <script>alert('x')</script> ############################################################# http://henryhoggard.co.uk
Comments
title of discussion should be NOT fixed.
it may not be known until you mentioned it. good find.
and yes I can confirm, it is still vulnerable in version 1.3.2
not an answer to your question, but there is a plugin called profile extender. where you could add what ever field you want to the profile, in lieu of this plugin until it is fixed.
apparently first and last name needs some validation.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Snap, will see if I can get this fixed. I assumed that by using Vanilla's built-in form functions it would handle common validation scenarios.
You are pulling direct from the database, and outputting it you can't assume it would sanitize on the client side, it is not psychic.
use
Gnd_Format::Text()
;grep is your friend.