[CakePHP : The Rapid Development Framework for PHP] #6134: Paginator helper has XSS problem

CakePHP : The Rapid Development Framework for PHP Sun, 22 Feb 2009 20:31:58 -0800

#6134: Paginator helper has XSS problem
---------------------------+------------------------------------------------
    Reporter:  ichikaway   |          Type:  Bug    
      Status:  new         |      Priority:  High   
   Milestone:  1.2.x.x     |     Component:  Helpers
     Version:  1.2 Final   |      Severity:  Major  
    Keywords:              |   Php_version:  n/a    
Cake_version:  1.2.1.8004  |  
---------------------------+------------------------------------------------
 I found XSS problem in Paginator
 helper(cake/libs/view/helpers/paginator.php).


 [[BR]]
 == What happen ==
 This problem occured using sort, next, prev and counter method of
 Paginator helper as follow.[[BR]]

 {{{
 <?php
 echo $paginator->counter(array(
 'format' => __('Page %page% of %pages%, showing %current% records out of
 %count% total, starting on record %start%, ending on %end%', true)
 ));
 ?></p>
 <table cellpadding="0" cellspacing="0">
 <tr>
         <th><?php echo $paginator->sort('id');?></th>
         <th><?php echo $paginator->sort('test');?></th>
         <th><?php echo $paginator->sort('created');?></th>
         <th><?php echo $paginator->sort('modified');?></th>
 </tr>
 <?php
 $i = 0;
 foreach ($posts as $post):
         $class = null;
         if ($i++ % 2 == 0) {
                 $class = ' class="altrow"';
         }
 ?>
         <tr<?php echo $class;?>>
                 <td>
                         <?php echo $post['Post']['id']; ?>
                 </td>
                 <td>
                         <?php echo $post['Post']['test']; ?>
                 </td>
                 <td>
                         <?php echo $post['Post']['created']; ?>
                 </td>
                 <td>
                         <?php echo $post['Post']['modified']; ?>
                 </td>
         </tr>
 <?php endforeach; ?>
 </table>
 </div>
 <div class="paging">
         <?php echo $paginator->prev('<< '.__('previous', true), array(),
 null, array('class'=>'disabled'));?>
  |      <?php echo $paginator->numbers();?>
         <?php echo $paginator->next(__('next', true).' >>', array(), null,
 array('class'=>'disabled'));?>
 </div>
 }}}

 [[BR]]
 There are 2 problems.
 [[BR]]
 1.[[BR]]
 You access below URL, then click some sort link(for example test clumn
 sort link).[[BR]]
 
http://localhost/posts/index/page:1%22%20onclick=%22alert(%27XSS%27)%22%20%3E%3C/a%3E
 [[BR]]
 You can see Javascript Alert message("XSS").[[BR]]
 [[BR]]
 2.[[BR]]
 You access below URL, then you can see $paginator->counter information(for
 example "Page 1< of 2, showing 2 records out of 3 total, starting on
 record 1, ending on 2") having link html tag.
 [[BR]]
 
http://localhost/posts/index/page:1%3Ca%20href=%22%22%20onclick=%22alert(%27XSS%27)%22%20%3E%3C/a%3E
 [[BR]]
 You click $paginator->counter information link,
 you can see  Javascript Alert message("XSS").[[BR]]
 [[BR]]

 [[BR]]
 == Why it didn't meet my expectations ==
 [page] query value accepts any characters.

 [[BR]]
 == Possible fix ==
 [page] query value accepts only numeric.[[BR]]
 Append the following after line 80 in params function of Paginator helper:
 [[BR]]
 {{{
 if( !is_numeric($this->params['paging'][$model]['page'])){
         $this->params['paging'][$model]['page'] = 1;
 }
 if( !is_numeric($this->params['paging'][$model]['options']['page'])){
         $this->params['paging'][$model]['options']['page'] = 1;
 }
 }}}

 [[BR]]


 == Provisional patch ==

 {{{
 class AppController extends Controller {

         function beforeRender(){

                 if( isset($this->params['paging']) ) {

                         foreach( $this->params['paging'] as $modelname =>
 $value ){

 if(!empty($this->params['paging'][$modelname]['page']) &&
 !is_numeric($this->params['paging'][$modelname]['page']) ){
 $this->params['paging'][$modelname]['page'] = 1;
                                 }

 if(!empty($this->params['paging'][$modelname]['options']['page']) &&
 !is_numeric($this->params['paging'][$modelname]['options']['page']) ){
 $this->params['paging'][$modelname]['options']['page'] = 1;
                                 }
                         }
                 }
                 parent::beforeRender();
         }
 }
 }}}

-- 
Ticket URL: <https://trac.cakephp.org/ticket/6134>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design 
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. 
Our primary goal is to provide a structured framework that enables PHP users at 
all levels to rapidly develop robust web applications, without any loss to 
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to 
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---

[CakePHP : The Rapid Development Framework for PHP] #6134: Paginator helper has XSS problem

Reply via email to