Critical Security hole

Forum
Last Post
Threads / Messages

Kesstryl

Member
Member
Joined
Feb 22, 2012
Messages
212
Points
28
Mysidian Dollar
11,770
It was found by one of our other members on our discord page that sending messages allows raw, unfiltered user input, and if you switch to html mode in the editor, you can input html tags which creates a whole host of security issues. A quick fix for this is to open controller/main/messagescontroller and change anything that uses rawPost() to post(). rawPost is a function that allows unfiltered user input, and why this is an intentionally created feature, I have no clue except that it might have been created for an output filtering that it is currently not using. With all the new and ever increasing security challenges on the web, this really needs to be thought through and I suggest removing altogether. Users can also add html purifier to model/domainmodel/privatemessage and edit the constructor like this, and hopefully it will cover everything, though I haven't tested it using rawPost() so I'm not sure if it actually works. I'm only using post() and I removed rawPost from my site so if anyone else wants to test this before changing their post functions in the controller, I'd love to hear the results.


Code:
    public function __construct($mid = 0, $folder = "inbox", $dto = NULL, $notifier = FALSE, $htmlPurifier = TRUE){
        $mysidia = Registry::get("mysidia");
        if($htmlPurifier) $this->htmlPurifier = new HTMLPurifier;    
        if($mid == 0){
            //This is a new private message not yet exist in database
            $this->mid = $mid;
            $this->fromuser = $mysidia->user->getID();
            $this->folder = ($folder == "inbox") ? $this->folder : $folder;
            return;
        }
        elseif(!$dto){
            // The private message is not being composed, so fetch the information from database
            $table = ($folder == "inbox") ? "messages" : "folders_messages";
            $dto = $mysidia->db->select($table, [], "mid = :mid", ["mid" => $mid])->fetchObject();
            if(!is_object($dto)) throw new MessageNotfoundException("The message does not exist in database.");              
        }
        parent::__construct($dto);
        if($notifier == TRUE) $this->getNotifier();      
    }
 
I believe that we do filter out certain dangerous html tags such as <script> so it is not possible to inject malicious JavaScript code. Can you test it and see if it does this correctly or not?
 
I believe that we do filter out certain dangerous html tags such as <script> so it is not possible to inject malicious JavaScript code. Can you test it and see if it does this correctly or not?
According to the Discord discussion, people could create forms and submit them with the way it was currently set up when you go into html mode in the ck editor. That needs to be disabled or use stronger filtering.
 
I have the default files for this area (I believe, nothing I've added from add-ons has touched messages)

controller/main/messagescontroller
I'm not seeing any rawPost in there, only just Post

model/domainmodel/privatemessage
I did find 2 in here and changed them

not sure if it's anywhere else but this is a concerning issue I'd like to patch out ASAP before it IS an issue you know?
 

Similar threads

Users who are viewing this thread

  • Forum Contains New Posts
  • Forum Contains No New Posts

Forum statistics

Threads
4,290
Messages
33,174
Members
1,605
Latest member
thirddivision
BETA

Latest Threads

Latest Posts

Top