CVE: CVE-2011-4025   
Vendor: EllisLab   
Products: ExpressionEngine 2.2.2, CodeIgniter 2.0.3
Vulnerabilities: xss_clean filter bypass, leading to Cross-Site Scripting (XSS)
Risk: High   
Attack Vector: From Remote   
Reference: http://secureappdev.blogspot.com/2011/11/ellislab-xssclean-filter-bypass.html

  
1. Description

EllisLab ExpressionEngine 2.2.2 and CodeIgniter 2.0.3 were found vulnerable to various XSS attacks when relying on XSS protection provided by xss_clean filter. When exploited by an external/internal attacker, such identified vulnerabilities could lead to Session Hijack, Information Disclosure, force installation of malicious file or Trojan on users' PCs, etc.

Due to implementation flaws affecting functions _remove_evil_attributes function flaw and xss_clean of CI_Security class, the internal XSS filter can be bypassed, thus allowing successful XSS attacks on products using either ExpressionEngine 2.2.2 or CodeIgniter 2.0.3.

_remove_evil_attributes function of CI_Security class allows detection and removal of 'evil' on* event attributes (e.g. onmouseover, onfocus, etc) from any HTML tag submitted as a parameter of GET or POST requests. By exploiting an implementation flaw identified in _remove_evil_attributes function, an attacker can inject XSS payloads relying on the use of 'evil' on* attributes, as shown below:
    
XSS injected payload: <a href=”#”onclick=”alert(1)”>" onclick="">

xss_clean 'filtered' output: <a href=”#>" onclick="">
 
xss_clean function includes functionality for replacing any detected ( ) characters with the corresponding HTML entities (( ,  ) respectively). As stated by EllisLab developers, something like eval('some code') becomes eval('some code') and such rewritten code is harmless.

When the code to be sanitised is JavaScript and is part of an attribute of an HTML tag, replacing ( ) characters with corresponding HTML entities still allows successful execution of such JavaScript code by the browser. 

When the flaws affecting both _remove_evil_attributes function and xss_clean functions are exploited together, this allows successful injection and execution of common XSS attack payloads, as shown below:

XSS injected payload: <a href="#"onclick="alert(1)">" onclick="alert(2)">aa</a>

xss_clean 'filtered' output: <a href="#>" onclick="alert(2)">aa</a>


2. Affected Versions

EllisLab ExpressionEngine 2.2.2
EllisLab CodeIgniter 2.0.3


3. Mitigation
    
Vendor recommends upgrading to ExpressionEngine 2.3.0 or later, respectively to CodeIgniter 2.1.0 or later.  
 
4. Disclosure Timeline

2011, September 08: Vulnerabilities discovered and documented
2011, September 08: Notification sent to EllisLab
2011, September 08: Vulnerabilities confirmed by EllisLab
2011, October 11: EllisLab released ExpressionEngine 2.3.0
2011, November 14: EllisLab released CodeIgniter 2.1.0
2011, November 28: MVSA-11-013 advisory published.


MVSA-11-013
Dr. Marian Ventuneac