Page 1 of 1

Can someone guide me to fix this? possible cross-site scripting attack

Posted: Thu Sep 09, 2021 4:07 pm
by Chamith
There is a possible cross-site scripting attack problem on bludit-3-13-1 but someone has a fix for this problem https://github.com/bludit/bludit/issues/1327

Image


But i don't know how to implement this to /bl-kernel/admin/views/login.php
PLEASE SOMEONE HELP ME TO INSERT THAT FIX TO login.php

THE FIX:

Code: Select all

I can confirm the security problem on my install. Thanks for the heads up!

A quick and dirty fix is to add:
$username = strip_tags($_POST['username']);
to
/bl-kernel/admin/views/login.php

and then use $username in place of $_POST['username'].
login.php

Code: Select all

<?php defined('BLUDIT') or die('Bludit CMS.');

echo '<h1 class="text-center mb-5 mt-5 font-weight-normal" style="color: #555;">BLUDIT</h1>';

echo Bootstrap::formOpen(array());

	echo Bootstrap::formInputHidden(array(
		'name'=>'tokenCSRF',
		'value'=>$security->getTokenCSRF()
	));

	echo '
	<div class="form-group">
		<input type="text" value="'.(isset($_POST['username'])?$_POST['username']:'').'" class="form-control form-control-lg" id="jsusername" name="username" placeholder="'.$L->g('Username').'" autofocus>
	</div>
	';

	echo '
	<div class="form-group">
		<input type="password" class="form-control form-control-lg" id="jspassword" name="password" placeholder="'.$L->g('Password').'">
	</div>
	';

	echo '
	<div class="form-check">
		<input class="form-check-input" type="checkbox" value="true" id="jsremember" name="remember">
		<label class="form-check-label" for="jsremember">'.$L->g('Remember me').'</label>
	</div>

	<div class="form-group mt-4">
		<button type="submit" class="btn btn-primary btn-lg mr-2 w-100" name="save">'.$L->g('Login').'</button>
	</div>
	';

echo '</form>';

?>
Thank you very much! <3

Re: Can someone guide me to fix this? possible cross-site scripting attack

Posted: Fri Sep 10, 2021 7:44 pm
by Edi
And what is the problem?

Re: Can someone guide me to fix this? possible cross-site scripting attack

Posted: Fri Sep 10, 2021 9:54 pm
by Chamith
Edi wrote: Fri Sep 10, 2021 7:44 pm And what is the problem?
As you can see this https://github.com/bludit/bludit/issues/1327

someone mentioned this:
___________________________________________________________________________________
I can confirm the security problem on my install. Thanks for the heads up!

A quick and dirty fix is to add:
$username = strip_tags($_POST['username']);
to
/bl-kernel/admin/views/login.php

and then use $username in place of $_POST['username'].
___________________________________________________________________________________


So how can i fix my login.php to this? like he said. you added the bug fix for the v4 but not for the v3 so I kind of worry about my current website. if in the future i may face a cross site scripting attack on my website. so i like to fix that as that guy mentioned a "dirty fix"


Fixed for Bludit v4.
https://github.com/bludit/bludit/blob/v ... in.php#L42

Can i add the same fix for my current version? but i don't know how to add it.

Re: Can someone guide me to fix this? possible cross-site scripting attack

Posted: Sat Sep 11, 2021 6:45 pm
by Edi
You can follow the description. ;-)

Open with a text editor the file login.php in the directory /bl-kernel/admin/views.

Add $username = strip_tags($_POST['username']); after line 11 and change $_POST['username'] to $username. The modified code will be:

Code: Select all

	$username = strip_tags($_POST['username']);

	echo '
	<div class="form-group">
		<input type="text" value="'.(isset($username)?$username:'').'" class="form-control form-control-lg" id="jsusername" name="username" placeholder="'.$L->g('Username').'" autofocus>
	</div>
	';
Save the file.

Done.

Re: Can someone guide me to fix this? possible cross-site scripting attack

Posted: Sun Sep 12, 2021 7:17 am
by Chamith
Thank you very much!!!! OMG Now I'm sooo relieved! Thank you Edi! :D