You are here: Foswiki>Tasks Web>Item375 (08 Jan 2009, KwangErnLiew)Edit Attach

Item375: Eliminate use of URLPARAM in docs so it becomes an XSS trap

pencil
Priority: Urgent
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Component: Documentation
Branches:
Reported By: KennethLavrsen
Waiting For: Main.KennethLavrsen
Last Change By: KwangErnLiew
A few XSS issues - a few topics needs %URLPARAM% to be used with proper syntax e.g. TWiki.ResetPassword, TWiki.WebSearch needs to be updated for handling URLPARAM encoding in a better way.

This is encoding issue on URL parameters.

This is parallel to TWiki bug TWikibug:Item6137

We will however re-evaluate the fixes one more time

Note that this is a release blocker.

-- KennethLavrsen - 01 Dec 2008

%QUERYSTRING% and %QUERYPARAMS% are vulnerable as well.

_encode() should get a 'safe' & 'none' option as well, defaulting to 'safe'.

-- MichaelDaum - 04 Dec 2008

QUERYSTRING seems safe.

QUERYPARAMS not. Fixed in Item393.

ENCODE updated with safe type also on Item393

Keeping this open. Still working on doc work.

-- KennethLavrsen - 05 Dec 2008

Ah, ok was not able to repro the QUERYSTRING exploit on this twiki. It def was working on a client's 4.1.2

-- MichaelDaum - 05 Dec 2008

Another one: ORIGURL.

Use something like
http://.../login/System/ResetPassword?origurl=/System/ResetPassword%3fusername%3d%22%3cscript%3ealert('3y3%200wn%20j00%20TWIKI')%3c/script%3e%3brefresh%3don

To get a popup.

-- MichaelDaum - 05 Dec 2008

That was cool that you spotted that. I normally test with Apache Login so I had not seen this one at all.

Tracked and fixed on Item405

-- KennethLavrsen - 07 Dec 2008

ItemTemplate edit

Summary Eliminate use of URLPARAM in docs so it becomes an XSS trap
ReportedBy KennethLavrsen
Codebase
SVN Range TWiki-4.2.3, Wed, 06 Aug 2008, build 17396
AppliesTo Engine
Component Documentation
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins distro:093d090d3423 distro:de76e575f0c9 distro:d6ce1b5c4c84 RevCommentPlugin:a73b8cdd5635
TargetRelease patch
ReleasedIn 1.0.0
Topic revision: r12 - 08 Jan 2009, KwangErnLiew
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy