XSS Vulnerability in QFormBase, and How to Fix

thread: 1 message  |  last: about 5 years ago  |  started: monday, july 18, 2011, 8:28 am pdt

#1  |  Mike Ho (San Diego, CA) United States of America Qcodo Administrator
Monday, July 18, 2011, 8:28 AM PDT

Hey everyone... just wanted to let you know of a XSS vulnerability that I discovered in the QFormBase class.  In theory, it is possible for an attacker to direct a user to a malformed URL which would allow the attacker to inject javascript code onto the page and hijack the user.

Fortunately, it's a simple one-line fix.  The fix will obviously be in the upcoming v0.4.21 release... but for those that do not want to update right away but would like to patch this vulnerability, please feel free to view the commit information on github

In short, it's a one line fix on or around line 911 of QFormBase.class.php.  All you need to do is wrap the reference to QApplication::$RequestUri around a QApplication::HtmlEntities() method call, so that the line should now read:

$strToReturn .= sprintf('<form method="post" id="%s" action="%s"%s>', $this->strFormId, QApplication::HtmlEntities(QApplication::$RequestUri), $strFormAttributes);

Hopefully this is clear and should be a straightforward fix for everyone.  Given the nature of the vulnerability (e.g. XSS vulnerabilities are never good), I would highly recommend that everyone apply this patch as soon as possible.

Please post with any questions.  Thanks!

Copyright © 2005 - 2017, Quasidea Development, LLC
This open-source framework for PHP is released under the terms of The MIT License.