IE XSS.attack notification while trying to upload KML file

More
9 years 11 months ago #51549 by Fuzzy
FLEXI_WARNIEXSS="Possible IE XSS Attack found."

It happens with the KML files.
I zipped and attached the one I'm testing on, so You can check it. Unzip before testing.

Regards.
Attachments:

Please Log in or Create an account to join the conversation.

More
9 years 11 months ago #51550 by ggppdk
Hello

yes i found the code it is inside FLEXIcontent upload file check

and indeed in this case it is a FALSE-POSITIVE

-- we need to revise the CODE

a temporary workaround (PLEASE don't hack other FLEXIcontent files)

is changing file:
components/com_flexicontent/classes/flexicontent.helper.php

and replacing line:
Code:
foreach($html_tags as $tag) {
with
Code:
if (0) foreach($html_tags as $tag) {



A question: should the contents of uploaded files be checked ?


-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
9 years 11 months ago #51579 by Fuzzy
Works like a charm!

Thank Ggppdk for the support.
You are the best!

A question: should the contents of uploaded files be checked?

Maybe as an option, checked by default, but possible to disable. Just an idea.

Please Log in or Create an account to join the conversation.

More
9 years 11 months ago #51580 by ggppdk
Hello

--> ok i see/remember the reason now,

some could read the file and include it inside the page as HTML


so indeed someone can exploit the uploading of file to add XSS unsafe code into your page,

that is the reason that we check the uploaded files

e.g. we allow previewing of file in file field,

also in your case you will be printing the file inside you page ?


you should not allow public access to uploads


-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
9 years 11 months ago #51651 by Fuzzy
Thanks for the warning.

The site Administrator will only have the priviledge to upload the KML file. No public access for the upload.

Regards.

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.376 seconds
Save
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline