[FIX] BoostCMS XSS Exploit Fix - News Comments [FIX]

[ayril]

This is a patch to fix the XSS Exploit in BoostCMS News Comments. I've discovered this exploit by using a special web security check software, few months ago while I'm checking the CMS. I decided to release this patch to public as it may help few users who are currently searching for the fix.

You may download the patch in the attachments below.

BoostCMS Patch by Airilxx.zip

Instructions: Put the patch in <your web server path>/Boost/Packages/Default/Templates/ . Please be remember, backup your original Comment.tpl and place somewhere else outside your server web folder

Note: This patch is 100% created by me, I only changed few bits of codes

real code

Code:

<?php echo str_replace("\n", '<br>', htmlspecialchars($Comment['comment'])); ?>

replaced with

Code:

<?php echo strip_tags(str_replace("\n", '<br>', mysql_real_escape_string($Comment['comment']))) ?>

[MentaL]

[FatalLulz]

Why make it a download when you can just make a quick tutorial showing users what pieces of code to change.. Would it not be more logical doing such?

[ayril]

Why make it a download when you can just make a quick tutorial showing users what pieces of code to change.. Would it not be more logical doing such?

I would do that, but I'm currently in lack of pc access. The attached files were directly compressed straight away from my vps server.

[Cliser]

This is a patch to fix the XSS Exploit in BoostCMS News Comments. I've discovered this exploit by using a special web security check software, few months ago while I'm checking the CMS. I decided to release this patch to public as it may help few users who are currently searching for the fix.

You may download the patch in the attachments below.

BoostCMS Patch by Airilxx.zip

Instructions: Put the patch in <your web server path>/Boost/Packages/Default/Templates/ . Please be remember, backup your original Comment.tpl and place somewhere else outside your server web folder

Note: This patch is 100% created by me, I only changed few bits of codes

Can you post some screens, please? Thanks :)

[NOC]

Thanks for this release, good to see the community spirit is here.

[NoBrain]

Can you post some screens, please? Thanks :)

Pretty much nothing to screenshot, lol?

[Luriflax]

the only thing has been changed is within line 24 also @FatalLulz is correct, you should make us aware of what fixed this exploit in future releases

real code

Code:

<?php echo str_replace("\n", '<br>', htmlspecialchars($Comment['comment'])); ?>

replaced with

Code:

<?php echo strip_tags(str_replace("\n", '<br>', mysql_real_escape_string($Comment['comment']))) ?>

[Rush Retros]

But the htmlspecialchars is the code that makes it non exploitable like u cant use specialchars or something lke that if i aint much wrong

[ayril]

But the htmlspecialchars is the code that makes it non exploitable like u cant use specialchars or something lke that if i aint much wrong

Yes, its true, but in this case, the "exploiter" can input " < > ( ) " <- these tags secretly in comments to script a unique popup that displays unique codes, to steal users sessions, on the news page which had enabled comments. Well, you can replicate the XSS wth Acunetix Scanner if you want, just use the clean install of BoostCMS 2.0

[ayril]

the only thing has been changed is within line 24 also @FatalLulz is correct, you should make us aware of what fixed this exploit in future releases

real code

Code:

<?php echo str_replace("\n", '<br>', htmlspecialchars($Comment['comment'])); ?>

replaced with

Code:

<?php echo strip_tags(str_replace("\n", '<br>', mysql_real_escape_string($Comment['comment']))) ?>

Alrite, Noted I'll update this thread with the code snippets soon.

[ayril]

Thanks for this release, good to see the community spirit is here.

Most welcome :) I decided to release here as I saw some peoples, esp. my mates, were able to fix these problems, but they won't share the codes on public.

[ayril]

Can you post some screens, please? Thanks :)

Sorry but I can't provide any screenshots, since its only contains php snippets

[BurakDev]

You can exploit htmlspecialchars ? Explain me how can you get the cookies

[NoBrain]

You can exploit htmlspecialchars ? Explain me how can you get the cookies

htmlentities would be better to use than htmlspecialchars.

[BurakDev]

htmlentities would be better to use than htmlspecialchars.

Yes I know but if I remember you can only execute simple javascript code on htmlspecialchars, you can't get cookie

[ayril]

Yes I know but if I remember you can only execute simple javascript code on htmlspecialchars, you can't get cookie

Well, if u refused to trust me, you can replicate it by using acunetix web scanner. I dont want to quarrel over these things on my thread. I released this to help some people who want get rid of such problems.

[pel]

mysql_real_escape_string !? wtf, why mysql_real_escape_string ?!?!?!?

[NoBrain]

mysql_real_escape_string !? wtf, why mysql_real_escape_string ?!?!?!?

It's also deprecated.

[ayril]

Well then, change the strings to other if it doesn't suitable.
I use references from web to fix these exploits, so the variables that i've use might be outdated.

[Gaby]

Real_escape_string is not meant for output from the database, only for input into the database.

[ayril]

Well, if I remove the string, will it able to block sessions stealing?