#6134: Paginator helper has XSS problem
---------------------------+------------------------------------------------
Reporter: ichikaway | Type: Bug
Status: new | Priority: High
Milestone: 1.2.x.x | Component: Helpers
Version: 1.2 Final | Severity: Major
Keywords: | Php_version: n/a
Cake_version: 1.2.1.8004 |
---------------------------+------------------------------------------------
I found XSS problem in Paginator
helper(cake/libs/view/helpers/paginator.php).
[[BR]]
== What happen ==
This problem occured using sort, next, prev and counter method of
Paginator helper as follow.[[BR]]
{{{
<?php
echo $paginator->counter(array(
'format' => __('Page %page% of %pages%, showing %current% records out of
%count% total, starting on record %start%, ending on %end%', true)
));
?></p>
<table cellpadding="0" cellspacing="0">
<tr>
<th><?php echo $paginator->sort('id');?></th>
<th><?php echo $paginator->sort('test');?></th>
<th><?php echo $paginator->sort('created');?></th>
<th><?php echo $paginator->sort('modified');?></th>
</tr>
<?php
$i = 0;
foreach ($posts as $post):
$class = null;
if ($i++ % 2 == 0) {
$class = ' class="altrow"';
}
?>
<tr<?php echo $class;?>>
<td>
<?php echo $post['Post']['id']; ?>
</td>
<td>
<?php echo $post['Post']['test']; ?>
</td>
<td>
<?php echo $post['Post']['created']; ?>
</td>
<td>
<?php echo $post['Post']['modified']; ?>
</td>
</tr>
<?php endforeach; ?>
</table>
</div>
<div class="paging">
<?php echo $paginator->prev('<< '.__('previous', true), array(),
null, array('class'=>'disabled'));?>
| <?php echo $paginator->numbers();?>
<?php echo $paginator->next(__('next', true).' >>', array(), null,
array('class'=>'disabled'));?>
</div>
}}}
[[BR]]
There are 2 problems.
[[BR]]
1.[[BR]]
You access below URL, then click some sort link(for example test clumn
sort link).[[BR]]
http://localhost/posts/index/page:1%22%20onclick=%22alert(%27XSS%27)%22%20%3E%3C/a%3E
[[BR]]
You can see Javascript Alert message("XSS").[[BR]]
[[BR]]
2.[[BR]]
You access below URL, then you can see $paginator->counter information(for
example "Page 1< of 2, showing 2 records out of 3 total, starting on
record 1, ending on 2") having link html tag.
[[BR]]
http://localhost/posts/index/page:1%3Ca%20href=%22%22%20onclick=%22alert(%27XSS%27)%22%20%3E%3C/a%3E
[[BR]]
You click $paginator->counter information link,
you can see Javascript Alert message("XSS").[[BR]]
[[BR]]
[[BR]]
== Why it didn't meet my expectations ==
[page] query value accepts any characters.
[[BR]]
== Possible fix ==
[page] query value accepts only numeric.[[BR]]
Append the following after line 80 in params function of Paginator helper:
[[BR]]
{{{
if( !is_numeric($this->params['paging'][$model]['page'])){
$this->params['paging'][$model]['page'] = 1;
}
if( !is_numeric($this->params['paging'][$model]['options']['page'])){
$this->params['paging'][$model]['options']['page'] = 1;
}
}}}
[[BR]]
== Provisional patch ==
{{{
class AppController extends Controller {
function beforeRender(){
if( isset($this->params['paging']) ) {
foreach( $this->params['paging'] as $modelname =>
$value ){
if(!empty($this->params['paging'][$modelname]['page']) &&
!is_numeric($this->params['paging'][$modelname]['page']) ){
$this->params['paging'][$modelname]['page'] = 1;
}
if(!empty($this->params['paging'][$modelname]['options']['page']) &&
!is_numeric($this->params['paging'][$modelname]['options']['page']) ){
$this->params['paging'][$modelname]['options']['page'] = 1;
}
}
}
parent::beforeRender();
}
}
}}}
--
Ticket URL: <https://trac.cakephp.org/ticket/6134>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
