NOTE: If you are a developer, please use a private wiki based on foswiki/trunk on a daily base ...or use trunk.foswiki.org to view this page for some minimal testing.
Use Item11383 for general documentation changes for release 1.1.5. Use Item9693 for docu changes for release 2.0.
You are here: Foswiki>Tasks Web>Item375 (08 Jan 2009, KwangErnLiew) Edit this topic text (e) Attach an image or document to this topic; manage existing attachments (a) View sequential topic history View without formatting (v) Create new topic Printable version of this topic (p) More: delete or rename this topic; set parent topic; view and compare revisions (m)

Item375: Eliminate use of URLPARAM in docs so it becomes an XSS trap

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine Documentation Main.KennethLavrsen
A few XSS issues - a few topics needs %URLPARAM% to be used with proper syntax e.g. TWiki.ResetPassword, TWiki.WebSearch needs to be updated for handling URLPARAM encoding in a better way.

This is encoding issue on URL parameters.

This is parallel to TWiki bug TWikibug:Item6137

We will however re-evaluate the fixes one more time

Note that this is a release blocker.

-- KennethLavrsen - 01 Dec 2008

%QUERYSTRING% and %QUERYPARAMS% are vulnerable as well.

_encode() should get a 'safe' & 'none' option as well, defaulting to 'safe'.

-- MichaelDaum - 04 Dec 2008

QUERYSTRING seems safe.

QUERYPARAMS not. Fixed in Item393.

ENCODE updated with safe type also on Item393

Keeping this open. Still working on doc work.

-- KennethLavrsen - 05 Dec 2008

Ah, ok was not able to repro the QUERYSTRING exploit on this twiki. It def was working on a client's 4.1.2

-- MichaelDaum - 05 Dec 2008

Another one: ORIGURL.

Use something like 
http://.../login/System/ResetPassword?origurl=/System/ResetPassword%3fusername%3d%22%3cscript%3ealert('3y3%200wn%20j00%20TWIKI')%3c/script%3e%3brefresh%3don

To get a popup.

-- MichaelDaum - 05 Dec 2008

That was cool that you spotted that. I normally test with Apache Login so I had not seen this one at all.

Tracked and fixed on Item405

-- KennethLavrsen - 07 Dec 2008

ItemTemplate edit

Summary Eliminate use of URLPARAM in docs so it becomes an XSS trap
ReportedBy KennethLavrsen
Codebase
SVN Range TWiki-4.2.3, Wed, 06 Aug 2008, build 17396
AppliesTo Engine
Component Documentation
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins Foswikirev:1161 Foswikirev:1180 Foswikirev:1201
TargetRelease patch
ReleasedIn 1.0.0
Edit | Attach | Print version | History: r12 < r11 < r10 < r9 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r12 - 08 Jan 2009 - 16:38:00 - KwangErnLiew
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads