Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Interchange: users

Standard demo: prevent XSS on forum submission

  

 
Interchange users RSS feed   Index | Next | Previous | View Threaded


josh-ic at att

Nov 19, 2009, 7:51 AM

Post #1 of 3 (969 views)
Permalink
Standard demo: prevent XSS on forum submission
The mv_arg parameter is not filtered when output in the page during
forum comment submission and replies, which can allow cross-site
scripting to be used.

http://github.com/jlavin/interchange/commit/1abf12d5332b57d50843198ab9b159778c491297


--- a/dist/standard/include/forum/reply_form
+++ b/dist/standard/include/forum/reply_form
@@ -1,4 +1,4 @@
-[loop list="[data session arg]"]
+[loop list="[data base=session field=arg filter=encode_entities]"]
<form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
<input type=hidden name=artid VALUE="[loop-data forum artid]">
<input type=hidden name=parent VALUE="[loop-code]">

--- a/dist/standard/include/forum/submit_form
+++ b/dist/standard/include/forum/submit_form
@@ -4,7 +4,7 @@
return;
[/calc]
[/if]
-[loop list="[data session arg]"]
+[loop list="[data base=session field=arg filter=encode_entities]"]
<form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
<input TYPE="HIDDEN" NAME="artid" VALUE="[loop-data forum artid]">
<input TYPE="HIDDEN" NAME="parent" VALUE="[loop-code]">

--
Josh Lavin
Perusion -- Expert Interchange Consulting http://www.perusion.com/


_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users


lists at gmnet

Nov 21, 2009, 9:28 AM

Post #2 of 3 (883 views)
Permalink
Re: Standard demo: prevent XSS on forum submission [In reply to]
On Thu, 2009-11-19 at 09:51 -0600, Josh Lavin wrote:
> The mv_arg parameter is not filtered when output in the page during
> forum comment submission and replies, which can allow cross-site
> scripting to be used.
>
> http://github.com/jlavin/interchange/commit/1abf12d5332b57d50843198ab9b159778c491297
>
>
> --- a/dist/standard/include/forum/reply_form
> +++ b/dist/standard/include/forum/reply_form
> @@ -1,4 +1,4 @@
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
> <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
> <input type=hidden name=artid VALUE="[loop-data forum artid]">
> <input type=hidden name=parent VALUE="[loop-code]">
>
> --- a/dist/standard/include/forum/submit_form
> +++ b/dist/standard/include/forum/submit_form
> @@ -4,7 +4,7 @@
> return;
> [/calc]
> [/if]
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
> <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
> <input TYPE="HIDDEN" NAME="artid" VALUE="[loop-data forum artid]">
> <input TYPE="HIDDEN" NAME="parent" VALUE="[loop-code]">
>
> --
> Josh Lavin
> Perusion -- Expert Interchange Consulting http://www.perusion.com/
>

Hi,

Since [data session arg] is always input from the url, maybe it should
be filtered more up-stream? That way anywhere this tag is used as is,
it would be safe. Is there a way to do that maybe in the [data] tag? or
would that be a bad idea?

Rick




--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.


_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users


racke at linuxia

Nov 24, 2009, 1:14 PM

Post #3 of 3 (849 views)
Permalink
Re: Standard demo: prevent XSS on forum submission [In reply to]
Josh Lavin wrote:
> The mv_arg parameter is not filtered when output in the page during
> forum comment submission and replies, which can allow cross-site
> scripting to be used.
>
> http://github.com/jlavin/interchange/commit/1abf12d5332b57d50843198ab9b159778c491297
>
>
>
> --- a/dist/standard/include/forum/reply_form
> +++ b/dist/standard/include/forum/reply_form
> @@ -1,4 +1,4 @@
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
> <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
> <input type=hidden name=artid VALUE="[loop-data forum artid]">
> <input type=hidden name=parent VALUE="[loop-code]">
>
> --- a/dist/standard/include/forum/submit_form
> +++ b/dist/standard/include/forum/submit_form
> @@ -4,7 +4,7 @@
> return;
> [/calc]
> [/if]
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
> <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
> <input TYPE="HIDDEN" NAME="artid" VALUE="[loop-data forum artid]">
> <input TYPE="HIDDEN" NAME="parent" VALUE="[loop-code]">
>

There are more files affected. A quick grep shows more suspects (not all of them are subject to XSS exploits):

dist/lib/UI/pages/admin/upload_file.html:[if-mm function="!files" name="[data session arg]"]
dist/lib/UI/pages/admin/upload_file.html:[seti ui_error][msg arg.0="[data session arg]"]Not authorized to upload file %s.[/msg][/seti]
dist/lib/UI/pages/admin/upload_file.html: [msg arg.0="[data session arg]"]Uploading file <b>%s</B>[/msg]
dist/lib/UI/pages/admin/upload_file.html: <INPUT type=hidden NAME=ui_upload_fn VALUE="[data session arg]">
dist/lib/UI/pages/admin/upload_file.html: [msg arg.0="[data session arg]"]Uploading file to <b>%s</B>[/msg]
dist/lib/UI/pages/admin/upload_file.html: <INPUT type=hidden NAME=ui_upload_fn VALUE="[data session arg]">
dist/lib/UI/pages/admin/upload_file.html: <INPUT NAME=ui_upload_fn type=hidden VALUE="[data session arg]">
dist/lib/UI/pages/admin/page_upload.html:[cgi name=page set="[data session arg]"]
dist/lib/UI/pages/admin/quicklinks.html:[seti win][data session arg][/seti]
dist/features/quickpoll/templates/components/quickpoll: <input type=hidden name="mv_arg" value="[data session arg]">
dist/standard/pages/flypage.html: [description code="[data session arg]"]
dist/standard/pages/flypage.html:[fly-list code="[data session arg]"]
dist/standard/pages/query/order_return.html: [seti arg][data session arg][/seti]
dist/standard/pages/query/order_detail.html:[loop list="[data session arg]"]
dist/standard/pages/member/delete_addresses.html: [userdb function=delete_shipping nickname="[data session arg]"]
dist/standard/pages/survey/graph.png.html:[survey-graph item_id="[data session arg]" notitle="[cgi notitle]" show_num=1 show_percent=1 cycle_clrs=1]
dist/standard/pages/function/stock_alert.html: [seti code][data session arg][/seti]
dist/standard/pages/function/stock_alert_added.html: [seti code][data session arg][/seti]
dist/standard/pages/quantity.html:[fly-list code="[data session arg]"]
dist/standard/pages/quantity.html:[loop prefix="part" list="[data session arg]"]
dist/standard/pages/forum/display.html:Forum thread: [data table=forum col=subject key="[data session arg]"]
dist/standard/pages/forum/display.html:[if type=data term="products::sku::[data session arg]"]
dist/standard/pages/forum/display.html: [bounce page="[data session arg]"]
dist/standard/pages/forum/display.html: top="[data session arg]"
dist/standard/pages/forum/reply.html:[tmp page_title]Reply to [data table=forum col=subject key="[data session arg]"][/tmp]
dist/standard/pages/forum/reply.html: [if type=!data term="forum:code:[data session arg]"]
dist/standard/pages/forum/reply.html: [loop list="[data session arg]" prefix=item]
dist/standard/include/forum/submit_form:[loop list="[data session arg]"]
dist/standard/include/forum/reply_form:[loop list="[data session arg]"]
dist/test/pages/oldtest.html:arg: [data arg]=[data session arg] -- [page @@MV_PAGE@@ SUCCESS]this link to test</a><BR>
dist/test/pages/test_specific.html:[loop list="[data session arg]"][harness name="[loop-code]"][expected][loop-data tests expected][/expected][not][loop-data tests no_expect][/not][loop-data tests input][/harness]
dist/test/pages/quantity.html:[loop list="[data session arg]"]
eg/news_feature/pages/news.html: se=[data session arg]

Regards
Racke


--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team


_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Interchange users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.