|EllisLab ExpressionEngine 2.2.2 and CodeIgniter 2.0.3 were found vulnerable to various XSS attacks when relying on XSS protection provided by xss_clean filter. When
exploited by an external/internal attacker, such identified
vulnerabilities could lead to Session
Information Disclosure, force installation of malicious file or
Trojan on users' PCs, etc.
Due to implementation flaws affecting functions _remove_evil_attributes function flaw and xss_clean of CI_Security class, the internal XSS filter can be bypassed, thus allowing successful XSS attacks on products using either ExpressionEngine 2.2.2 or CodeIgniter 2.0.3.
_remove_evil_attributes function of CI_Security class allows detection and removal of 'evil' on* event attributes (e.g. onmouseover, onfocus, etc) from any HTML tag submitted as a parameter of GET or POST requests. By exploiting an implementation flaw identified in _remove_evil_attributes function, an attacker can inject XSS payloads relying on the use of 'evil' on* attributes, as shown below:
XSS injected payload: <a href=”#”onclick=”alert(1)”>" onclick="">
xss_clean 'filtered' output: <a href=”#>" onclick="">
xss_clean function includes functionality for replacing any detected ( ) characters with the corresponding HTML entities (( , ) respectively). The whole ideas is to render harmless any code using such characters. As stated by developers, something like eval('some code') becomes eval('some code') and such rewritten code is harmless.
When the flaws affecting both _remove_evil_attributes function and xss_clean functions are exploited together, this allows successful injection and execution of common XSS attack payloads, as shown below:
||XSS injected payload: <a href="#"onclick="alert(1)">" onclick="alert(2)">aa</a>
xss_clean 'filtered' output: <a href="#>" onclick="alert(2)">aa</a>
EllisLab ExpressionEngine 2.2.2
EllisLab CodeIgniter 2.0.3
Vendor recommends upgrading
to ExpressionEngine 2.3.0 or
later, respectively to CodeIgniter 2.1.0 or later.
2011, September 08: Vulnerabilities discovered and documented
2011, September 08: Notification sent to EllisLab
2011, September 08: Vulnerabilities confirmed by EllisLab
2011, October 11: EllisLab released ExpressionEngine 2.3.0
2011, November 14: EllisLab released CodeIgniter 2.1.0
2011, November 28: MVSA-11-013 advisory published.