We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

'Disallowed Key Characters' XSS

July 24, 2013 5:48am

Subscribe [2]

  • #1 / Jul 24, 2013 5:48am

    jmedwards

    1 posts

    Assuming ExpressionEngine is running on http://www.domain.com, if you invent a fictitious file and parameters, like:

    <a href="http://www.domain.com/SameCustomPageXSS.pl?testhere&#91removed&#93alert&#40700&#41&#91removed&#93">http://www.domain.com/SameCustomPageXSS.pl?testhere[removed]alert(700);[removed&#93</a>;

    ExpressionEngine will return the error:

    Disallowed Key Characterstesthere[removed]alert(700);[removed]

    And in some browsers, like Firefox, will execute the script.

    How can we prevent this?

  • #2 / Jul 24, 2013 1:51pm

    wildrock

    262 posts

    If you are running EE v1, you should upgrade to the latest version. There were quite a few security fixes for XSS exploits applied. If you are referring to the most recent version of EE 1.x still having an XSS vulnerability, then you should file a bug report. I don’t know if Ellis Lab would release another security fix for the 1.7.x branch, but who knows. If they don’t/won’t, then we should get the vulnerability fully documented, and maybe one of the 3rd party devs can hack a fix together.

    If you are referring to EE 2.x, you should file a bug report and have EL fix this puppy.

    -j

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register