Fix for Xss injector

function page_xss_injector() {
    for($i=0;$i<2;$i++) {
      // Extract the forms url and id
      $form_details = db_fetch_array(db_query("SELECT f.id,l.path FROM {crawler_forms} f INNER JOIN {crawler_links} l ON f.page_id = l.id WHERE status = 2 LIMIT 1"));
      // Visit that url
      $obj = new drupal_security_scanner_test();
      $session_cookie = variable_get('security_scanner_cookie','');
      $obj->curl_options = array(
        CURLOPT_COOKIE => $session_cookie,
      );
      //$obj->drupalGet($form_details['path']);
      $html = $obj->drupalGet('http://localhost/soc2008/?q=node/add/page');
      $obj->parse();
      // Selecting only textareas and input type = 'text' before seeding 
      // (already included inside handleFormModified, but repeated to build the array of the value to seed)
      $all_inputs = $obj->elements->xpath("//input[@type='text']|//textarea");
      //echo "<pre>".print_r($all_inputs,1)."</pre>";
      foreach ($all_inputs as $input) {
        $name = (string)$input->attributes()->name;
        $edit[$name] = "<\script\>alert('xss');</\script\>";
      }
      echo "<pre>".print_r($edit,1)."</pre>";
      // $obj->drupalPostModified($html, $form_details['id'], $form_state, TRUE);
      $obj->drupalPostModified($html, 'edit-page-node-form', $edit, TRUE);
      die;
    }
 
 
 
// Function drupalPostModified and handleFormModified (I have to change its name)
 
  /**
   * Execute a POST request on a Drupal page. (modified function)
   * It will be done as usual POST request with SimpleBrowser.
   *
   * @param string  $path
   *   Location of the post form. Either a Drupal path or an absolute path or
   *   NULL to post to the current page.
   * @param array $edit
   *   Field data in an assocative array. Changes the current input fields
   *   (where possible) to the values indicated. A checkbox can be set to
   *   TRUE to be checked and FALSE to be unchecked.
   * @param string $submit
   *   Value of the submit button.
   * @param $tamper
   *   If this is set to TRUE then you can post anything, otherwise hidden and
   *   nonexistent fields are not posted.
   */
  function drupalPostModified($html, $form_id, $edit, $submit) {
    $submit_matches = FALSE;
    if ($this->parse()) {
      $edit_save = $edit;
      // Let's iterate over all the forms.
      $forms = $this->elements->xpath("//input[@id='".$form_id."']/parent::*");
      foreach ($forms as $form) {
        // We try to set the fields of this form as specified in $edit.
        $edit = $edit_save;
        $post = array();
        $upload = array();
        $submit_matches = $this->handleFormModified($post, $edit, $upload, $submit, $form);
        $action = isset($form['action']) ? $this->getAbsoluteUrl($form['action']) : $this->getUrl();
        // This part is not pretty. There is very little I can do.
        if ($upload) {
          foreach ($post as &$value) {
            if (strlen($value) > 0 && $value[0] == '@') {
              $this->fail(t("Can't upload and post a value starting with @"));
              return FALSE;
            }
          }
          foreach ($upload as $key => $file) {
            $post[$key] = '@' . realpath($file);
          }
        }
        else {
          $post_array = $post;
          $post = array();
          foreach ($post_array as $key => $value) {
            // Whether this needs to be urlencode or rawurlencode, is not
            // quite clear, but this seems to be the better choice.
            $post[] = urlencode($key) . '=' . urlencode($value);
          }
          $post = implode('&', $post);
        }
        $out = $this->curlExec(array(CURLOPT_URL => $action, CURLOPT_POSTFIELDS => $post, CURLOPT_POST => TRUE));
        // Ensure that any changes to variables in the other thread are picked up.
        $this->refreshVariables(); 
        return $out;
      }
      // We have not found a form which contained all fields of $edit.
      foreach ($edit as $name => $value) {
        $this->fail(t('Failed to set field @name to @value', array('@name' => $name, '@value' => $value)));
      }
    }
  }
  
 
    /**
   * Handle form Modified
   */
  protected function handleFormModified(&$post, &$edit, &$upload, $submit, $form) {
    // Retrieve the form elements.
    $elements = $form->xpath("//input[@type='text']|//textarea");
    $submit_matches = FALSE;
    foreach ($elements as $element) {
      // SimpleXML objects need string casting all the time.
      $name = (string)$element['name'];
      // This can either be the type of <input> or the name of the tag itself
      // for <select> or <textarea>.
      $type = isset($element['type']) ? (string)$element['type'] : $element->getName();
      $value = isset($element['value']) ? (string)$element['value'] : '';
      $done = FALSE;
      if (isset($edit[$name])) {
        switch ($type) {
          case 'text':
          case 'textarea':
            $post[$name] = $edit[$name];
            unset($edit[$name]);
            break;
        }
      }
      if (!isset($post[$name]) && !$done) {
        switch ($type) {
          case 'textarea':
            $post[$name] = (string)$element;
            break;
          case 'submit':
            if ($submit == $value) {
              $post[$name] = $value;
              $submit_matches = TRUE;
            }
            break;
          default:
            $post[$name] = $value;
        }
      }
    }
    return $submit_matches;
  }
DrupalBin

Recent Posts

Tags

User login

Fix for Xss injector
