Home : Gossamer Threads Inc. : Official Bug Fixes :

Gossamer Threads Inc.: Official Bug Fixes: [Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability: Edit Log

Here is the list of edits for this post
[Links SQL 2.x/GLinks 3.0.0] Minor XSS Vulnerability
A minor XSS vulnerability was recently found in the Links SQL 2.x and GLinks 3.0.0 templates. The vulnerability allows someone to generate urls, which if visited by a user, can disclose information such as cookie data.

Versions affected:
Gossamer Links 3.0.0
Links SQL 2.x

Versions not affected:
Gossamer Links 3.0.1 and higher

Solution:
For Gossamer Links 3.0.0 users, upgrade to 3.0.1 (or the current latest version) and merge the changes into your customised templates (see the template diffs). For Links SQL 2.x users (or users still using 2.x templates), you must update your templates to html escape input. To do this you must edit all the templates and change any places where template tags are used as element attribute values. When updating your templates, there are 3 things that need updating:

1) <input ... value="<%template_var%>">
2) <frame ... src="<%template_var%>">
3) <textarea><%template_var%></textarea>

These need to be changed to:

1) <input ... value="<%escape_html template_var%>">
2) <frame ... src="<%escape_html template_var%>">
3) <textarea><%escape_html template_var%></textarea>

If your directory does not allow html in any link info (eg. link descriptions, reviews, etc) then you can not modify your templates and just add an option to GT::Template to html escape all variables. To do this, edit admin/Links.pm (it's on a different line depending on the version you have installed) in "sub user_page", before it calls GT::Template->parse(...), add the following line:
Code:
$opts->{escape} = 1;

Adrian

Last edited by:

brewt: Oct 14, 2005, 12:42 AM

Edit Log: