Security issues in kses

Lukasz Pilorz has found 3 security issues in kses, the HTML filter we're using in Geeklog. We have examined these issues and to the best of our knowledge, 2 of the 3 issues are not exploitable in the Geeklog context, due to additional filtering done by Geeklog. The third issue is exploitable, though, but won't affect standard installs.

The exploitable issue affects the HTML style attribute. In a standard install of Geeklog, the style attribute is not allowed, i.e. filtered out when someone attempts to use it. This has always been our recommendation, as it could be used for defacements. Lukasz has demonstrated that it could also be used for XSS. Since kses is no longer maintained, there is no patch for this issue. We therefore want to repeat our recommendation: Do not allow the style attribute for normal users and be very careful when allowing it for Admin users.

For the other two issues, Lukasz has provided a patch for kses that we've rolled into Geeklog 1.5.0, just in case. For earlier releases, you can download a drop-in replacement for kses. Again, to the best of our knowledge, the issues (which include arbitrary code execution) do not seem to be exploitable in the Geeklog context.

Since kses is no longer maintained, we will be looking into replacing it with some other HTML filter in future Geeklog releases.

Comments (0)


Geeklog
https://www.geeklog.net/article.php/kses