 |
|
Item15141: possible XSS attack in attachment comments
Priority: Security
Current State: Closed
Released In: 2.1.8
Target Release: patch
Current State: Closed
Released In: 2.1.8
Target Release: patch
Applies To: Engine
Component:
Branches:
Component:
Branches:
How to reproduce
Paste below code into an attachment's comment field:<img src=X onerror=alert(document.domain)>Should show up as illustrated:
Affected components
- TopicInteractionPlugin (as per report)
- Foswiki Core
References
Timeline
- 2022-04-26: First contact request via security@vendor.com -> report wasn't received due to misconfigured email delivery system
- 2022-05-09: Second contact by Lauritz Holtmann via Slack
- 2022-05-09: Issue confirmed by Michael Daum, hotfix applied to foswiki.org and blog.foswiki.org, Foswiki security mailing list was informed
- 2022-05-09: a new version of TopicInteractionPlugin has been released
Credits
This security vulnerability was found by Christian Pöschl of usd AG (https://herolab.usd.de/).Hotfix for Foswiki-2.1.7
diff --git a/lib/Foswiki/Attach.pm b/lib/Foswiki/Attach.pm
index ee74352..e9d278e 100644
--- a/lib/Foswiki/Attach.pm
+++ b/lib/Foswiki/Attach.pm
@@ -245,7 +245,7 @@ sub _expandAttrs {
elsif ( $attr eq 'COMMENT' ) {
my $comment = $info->{comment};
if ($comment) {
- $comment =~ s/\|/|/g;
+ $comment = Foswiki::entityEncode($comment);
}
else {
$comment = '';
diff --git a/lib/Foswiki/UI/Attach.pm b/lib/Foswiki/UI/Attach.pm
index 79d303d..584a535 100644
--- a/lib/Foswiki/UI/Attach.pm
+++ b/lib/Foswiki/UI/Attach.pm
@@ -103,7 +103,6 @@ sub attach {
my $filePath = $args->{path} || $fileName;
$tmpl =~ s/%FILEPATH%/$filePath/g;
- $args->{comment} = Foswiki::entityEncode( $args->{comment} );
$tmpl =~ s/%FILECOMMENT%/$args->{comment}/g;
$tmpl = $topicObject->expandMacros($tmpl);
As you can see there always was some means in place to entity-encode comments. However this was only a partial fix in the Foswiki::UI::Attach layer. The actual call to Foswiki::entityEncode($comment) was moved into the Foswiki::Attach module,
where it belongs.
-- MichaelDaum - 09 Jun 2022
A new version for TopicInteractionPlugin has been released separately. The TIP release does not mention the XSS related fixes as long as Foswiki-2.1.8 isn't out yet.
-- MichaelDaum - 09 Jun 2022
ItemTemplate edit
| Summary | possible XSS attack in attachment comments |
| ReportedBy | MichaelDaum |
| Codebase | |
| SVN Range | |
| AppliesTo | Engine |
| Component | |
| Priority | Security |
| CurrentState | Closed |
| WaitingFor | |
| Checkins | |
| TargetRelease | patch |
| ReleasedIn | 2.1.8 |
| CheckinsOnBranches | |
| trunkCheckins | |
| masterCheckins | |
| ItemBranchCheckins | |
| Release02x01Checkins | |
| Release02x00Checkins | |
| Release01x01Checkins |
| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 png |
955-436-max.png | manage | 39 K | 09 Jun 2022 - 11:31 | MichaelDaum |
Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r3 - 06 Aug 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy