ExpressionEngine Reflected XSS Vulnerability

ExpressionEngine Reflected XSS Vulnerability

Today I decided do analyze on ExpressionEngine which is one of the most popular PHP framework. I’ve download latest version of ExpressionEngine from Ellislab webpage and start my analyze.

During my analysis I came across following file.

system/expressionengine/libraries/Redirect.php

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/**
 * ExpressionEngine - by EllisLab
 *
 * @package		ExpressionEngine
 * @author		EllisLab Dev Team
 * @copyright	Copyright (c) 2003 - 2014, EllisLab, Inc.
 * @license		http://ellislab.com/expressionengine/user-guide/license.html
 * @link		http://ellislab.com
 * @since		Version 2.0
 * @filesource
 */

// ------------------------------------------------------------------------

/**
 * URL Redirect
 *
 * @package		ExpressionEngine
 * @subpackage	Core
 * @category	Core
 * @author		EllisLab Dev Team
 * @link		http://ellislab.com
 */
if ( ! isset($_GET['URL']))
{
	exit();
}

$_GET['URL'] = str_replace(array("\r", "\r\n", "\n", '%3A','%3a','%2F','%2f'), array('', '', '', ':', ':', '/', '/'), $_GET['URL']);

if (strncmp($_GET['URL'], 'http', 4) != 0 && strpos($_GET['URL'], '://') === FALSE && substr($_GET['URL'], 0, 1) != '/')
{
	$_GET['URL'] = "http://".$_GET['URL'];
}

$_GET['URL'] = str_replace( array('"', "'", ')', '(', ';', '}', '{', 'script%', 'script&', '&#40', '&#41'), '', strip_tags($_GET['URL']));

$host = ( ! isset($_SERVER['HTTP_HOST'])) ? '' : (substr($_SERVER['HTTP_HOST'],0,4) == 'www.' ? substr($_SERVER['HTTP_HOST'], 4) : $_SERVER['HTTP_HOST']);

$force_redirect = ($request_type != 'CP' && config_item('force_redirect') == TRUE) ? TRUE: FALSE;

if ($force_redirect == TRUE OR ( ! isset($_SERVER['HTTP_REFERER']) OR ! stristr($_SERVER['HTTP_REFERER'], $host)))
{
	// Possibly not from our site, so we give the user the option
	// Of clicking the link or not

	$str = "<html>\n<head>\n<meta http-equiv='Content-Type' content='text/html; charset=utf-8'/>\n<title>Redirect</title>\n</head>\n<body>".
			"<p>To proceed to the URL you have requested, click the link below:</p>".
			"<p><a rel=\"nofollow\" href='".$_GET['URL']."'>".$_GET['URL']."</a></p>\n</body>\n</html>";
}
else
{
	$str = "<html>\n<head>\n<meta http-equiv='Content-Type' content='text/html; charset=utf-8'/>\n<title>Redirect</title>\n".
		   '<meta http-equiv="refresh" content="0; URL='.$_GET['URL'].'">'.
		   "\n</head>\n<body>\n</body>\n</html>";
}

exit($str);


/* End of file Redirect.php */
/* Location: ./system/expressionengine/libraries/Redirect.php */

 

As you can see, developers of EE decided to create page in order to notify users about redirection. If you look codes of Redirect.php file you will see that developers already know possible security issues and tried to strip out some characters like quotes etc.

I’ve spend a several minutes in order to bypass str_replace and manage to reach html but I’ve failed. I knew there is a possible way to bypass so I decided to set up test-bed ( http://lab.mehmetince.net/h4ckm3/xss-3/ ) and send them to other security researchers.After few minutes Ashar Javed (thank you for spending your time for that) managed to bypass it! The way of Ashar’s bypass is just brilliant! Solution is Double URL Encode which is tried by me before, now I see my mistake by the way.

Open following url and click on link which will appear end of the page.

http://lab.mehmetince.net/h4ckm3/xss-3/?URL=javascript://www.xss.com?xss=%250aalert%2528/XSS/%2529

Rafay Baloch managed to bypass it too. Thank you for being participant.

http://lab.mehmetince.net/h4ckm3/xss-3/index.php?URL=%3C%20img%20src=x%20onerror=document.body.innerHTML=location.hash%3E#%22%3E%3Cimg%20src=x%20onerror=prompt%281%29%3E

 

EE XSS

Please take a look Ashar Javed ‘s XSS levels you will learn a lot of stuff about XSS.

FIX

Vulnerability has been patched EE 2.9.0 release.

http://ellislab.com/expressionengine/user-guide/about/changelog.html#version-2-9-0