Elxis CMS Forum

Support => Security => Topic started by: datahell on October 23, 2008, 09:25:13

Title: Patch against XSS vunerability on module language - Elxis 2008.0, 2008.1 rev2204
Post by: datahell on October 23, 2008, 09:25:13

Patch against XSS vunerability at module language.
Details here:
http://secunia.com/advisories/32278/ (http://secunia.com/advisories/32278/)
Advisory/exploit here:
http://packetstorm.linuxsecurity.com/0810-exploits/elxis-xss.txt (http://packetstorm.linuxsecurity.com/0810-exploits/elxis-xss.txt)

The exploit only affects sites that have the smart language switch parameter enabled in module language.

How to patch Elxis 2008.0, 2008.1 rev2204 until an official patch is released:

First of all you should have session.use_only_cookies = 1 in your php.ini to prevent session fixation.

Now, open module language (modules/mod_language.php) to edit it.

Go to line 65.
Replace this:
$replURI = preg_replace('/^([\/])/', '', urldecode($_SERVER['REQUEST_URI']));

with this:
$replURI = preg_replace('/^([\/])/', '', urldecode($_SERVER['REQUEST_URI']));
$pat = "([\"]|[\']|[\<]|[\>]|[\*]|[\~]|[\`]|[\^]|[\|]|[\\\]|[\$]|[\;])";
$replURI = preg_replace($pat, '', $replURI);
$replURI = preg_replace('/(script)/i', '', $replURI);
$replURI = preg_replace('/(mosconfig)/i', '', $replURI);

Save the file and upload it to your site.

Such kind of attacks can be easily prevented if you have Elxis Defender enabled!

Title: Re: Patch against XSS vunerability on module language - Elxis 2008.0, 2008.1 rev2204
Post by: Amigamerlin on October 23, 2008, 10:34:46

Quote from: datahell on October 23, 2008, 09:25:13

Patch against XSS vunerability at module language.
Details here:
http://secunia.com/advisories/32278/ (http://secunia.com/advisories/32278/)
Advisory/exploit here:
http://packetstorm.linuxsecurity.com/0810-exploits/elxis-xss.txt (http://packetstorm.linuxsecurity.com/0810-exploits/elxis-xss.txt)

The exploit only affects sites that have the smart language switch parameter enabled in module language.

How to patch Elxis 2008.0, 2008.1 rev2204 until an official patch is released:

First of all you should have session.use_only_cookies = 1 in your php.ini to prevent session fixation.

Now, open module language (modules/mod_language.php) to edit it.

Go to line 65.
Replace this:
$replURI = preg_replace('/^([\/])/', '', urldecode($_SERVER['REQUEST_URI']));

with this:
$replURI = preg_replace('/^([\/])/', '', urldecode($_SERVER['REQUEST_URI']));
$pat = "([\"]|[\']|[\<]|[\>]|[\*]|[\~]|[\`]|[\^]|[\|]|[\\\]|[\$]|[\;])";
$replURI = preg_replace($pat, '', $replURI);
$replURI = preg_replace('/(script)/i', '', $replURI);
$replURI = preg_replace('/(mosconfig)/i', '', $replURI);

Save the file and upload it to your site.

Such kind of attacks can be easily prevented if you have Elxis Defender enabled!

Hi Datahell,
thank you for the support.

For all the guys that are noob like me and that don't have the possibilities to change the PHP.ini can be a good thing know what to put in the ELXIS defender filter to prevent this kind of attach.

Thank you.

Title: Re: Patch against XSS vunerability on module language - Elxis 2008.0, 2008.1 rev2204
Post by: datahell on October 23, 2008, 14:40:03

A patch was officially released. Download it from the Elxis Downloads Center.