ExpressionEngine Reflected XSS Vulnerability

Today I decided do analyze on ExpressionEngine which is one of the most popular PHP framework. I’ve download latest version of ExpressionEngine from Ellislab webpage and start my analyze.

During my analysis I came across following file.

system/expressionengine/libraries/Redirect.php

 

As you can see, developers of EE decided to create page in order to notify users about redirection. If you look codes of Redirect.php file you will see that developers already know possible security issues and tried to strip out some characters like quotes etc.

I’ve spend a several minutes in order to bypass str_replace and manage to reach html but I’ve failed. I knew there is a possible way to bypass so I decided to set up test-bed ( http://lab.mehmetince.net/h4ckm3/xss-3/ ) and send them to other security researchers.After few minutes Ashar Javed (thank you for spending your time for that) managed to bypass it! The way of Ashar’s bypass is just brilliant! Solution is Double URL Encode which is tried by me before, now I see my mistake by the way.

Open following url and click on link which will appear end of the page.

Rafay Baloch managed to bypass it too. Thank you for being participant.

 

EE XSS

Please take a look Ashar Javed ‘s XSS levels you will learn a lot of stuff about XSS.

FIX

Vulnerability has been patched EE 2.9.0 release.

http://ellislab.com/expressionengine/user-guide/about/changelog.html#version-2-9-0