Gossamer Forum
Home : Gossamer Threads Inc. : Official Bug Fixes :

[Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability

Quote Reply
[Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability
A minor XSS vulnerability was recently found in the Links SQL 2.x and GLinks 3.0.0 templates. The vulnerability allows someone to generate urls, which if visited by a user, can disclose information such as cookie data.

Versions affected:
Gossamer Links 3.0.0
Links SQL 2.x

Versions not affected:
Gossamer Links 3.0.1 and higher

Solution:
For Gossamer Links 3.0.0 users, upgrade to 3.0.1 (or the current latest version) and merge the changes into your customised templates (see the template diffs). For Links SQL 2.x users (or users still using 2.x templates), you must update your templates to html escape input. To do this you must edit all the templates and change any places where template tags are used as element attribute values. When updating your templates, there are 3 things that need updating:

1) <input ... value="<%template_var%>">
2) <frame ... src="<%template_var%>">
3) <textarea><%template_var%></textarea>

These need to be changed to:

1) <input ... value="<%escape_html template_var%>">
2) <frame ... src="<%escape_html template_var%>">
3) <textarea><%escape_html template_var%></textarea>

If your directory does not allow html in any link info (eg. link descriptions, reviews, etc) then you can not modify your templates and just add an option to GT::Template to html escape all variables. To do this, edit admin/Links.pm (it's on a different line depending on the version you have installed) in "sub user_page", before it calls GT::Template->parse(...), add the following line:
Code:
$opts->{escape} = 1;

Adrian

Last edited by:

brewt: Oct 14, 2005, 12:42 AM
Post deleted by Alba In reply to

Last edited by:

Alba: Apr 22, 2005, 3:12 AM
Quote Reply
Re: [Alba] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
Hi,

I belive you would put it before the line.

One thing I did notice, is the missing ; at the end of the line.

i.e;

Code:
$opts->{escape} = 1

..should be;

Code:
$opts->{escape} = 1;

Hope that helps

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package (plugins total "value" $3,325 & rising, for just $350)| GLinks ULTRA Package PRO (plugins total "value" $5,625 & rising, for just $500)
Support Forum | Links SQL Plugins | DMOZ Dumps | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Compare our different Plugin packages *new* Free CSS Templates
Quote Reply
Re: [brewt] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
I upgraded a 2.99.x site to 3.0.1.

When I went to the template area to view the diffs, the diffs were only for 3.0.0 -> 3.0.1

The customized templates are 2.99x

That seems like a bug, especially in a version upgrade like this. How can you merge the templates?


PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.
Quote Reply
Re: [pugdog] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
I've attached the diffs for 2.99.0 to 2.99.1 and 2.99.1 to 3.0.0. Note that 2.99.0 to 2.99.1 was a pretty big change (it was a beta).

Adrian
Quote Reply
Re: [brewt] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
I've noticed that in several of the updated templates, the ' escape_html ' has not been used when calling values. eg: modify_success.html

Is it only certain values that are at risk or have the others just been missed?
Quote Reply
Re: [Alba] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
It's because only certain things need to be escaped. Input that's a result from the actual user submitting input usually doesn't need escaping because the only person they can exploit is themself.

Adrian
Quote Reply
Re: [brewt] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
I get it, the fix only applies to tags used to complete form fields? I guess I should have looked more closely but had so many template sets to fix that I'd not followed the change info template by template.

Thanks
Quote Reply
Re: [Alba] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
Pretty much the case. Because Gossamer Links doesn't escape all variables passed into the template parser (we would like to change this, but it would likely break a lot of plugins, templates, etc - most of our other products do it already), you need to do it in the template yourself when needed.

Adrian
Quote Reply
Re: [brewt] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
Wouldn't it be better, though, to fix the real issue, and not leave a potential hole?

Especially with a 3.0 release, isn't this the "time" to fix up these issues?

Leaving security fixes to the user, is not the best course, and accidents will happen. If nothing else, warn if input that should be escaped in the templates, isn't.


PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.
Quote Reply
Re: [pugdog] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
It's a fairly minor xss vulnerability and making the change would result in most plugins and installations to stop functioning properly, not to mention backwards compatibility would be broken. Backwards compatibility is one of the things we want to keep for 3.x.

Adrian
Quote Reply
Re: [brewt] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
Quote:
Backwards compatibility is one of the things we want to keep for 3.x.
Sincerely, I did not felt the backward compatibility, when an option was changed, so my DirName converter plugin became unusable for LSQL v3.x.

Best regards,
Webmaster33


Paid Support
from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...
Quote Reply
Re: [brewt] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
brewt wrote:
If your directory does not allow html in any link info (eg. link descriptions, reviews, etc) then you can not modify your templates and just add an option to GT::Template to html escape all variables. To do this, edit admin/Links.pm (it's on a different line depending on the version you have installed) in "sub user_page", before it calls GT::Template->parse(...), add the following line:
Code:
$opts->{escape} = 1;

And what can I do if I use html?
I am using Links SQL 2.1.2 and would not like to
update to Links 3.

Best regards from
Bremen/Germany

Lothar
Quote Reply
Re: [eljot] [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability In reply to
If you do allow html in your fields, then you need to make all the listed changes (everything before that sentence).

Adrian