Item375: Eliminate use of URLPARAM in docs so it becomes an XSS trap

Priority:	CurrentState:	AppliesTo:	Component:	WaitingFor:
Urgent	Closed	Engine	Documentation	Main.KennethLavrsen

A few XSS issues - a few topics needs %URLPARAM% to be used with proper syntax e.g. TWiki.ResetPassword, TWiki.WebSearch needs to be updated for handling URLPARAM encoding in a better way.

This is encoding issue on URL parameters.

This is parallel to TWiki bug TWikibug:Item6137

We will however re-evaluate the fixes one more time

Note that this is a release blocker.

-- KennethLavrsen - 01 Dec 2008

%QUERYSTRING% and %QUERYPARAMS% are vulnerable as well.

_encode() should get a 'safe' & 'none' option as well, defaulting to 'safe'.

-- MichaelDaum - 04 Dec 2008

QUERYSTRING seems safe.

QUERYPARAMS not. Fixed in Item393.

ENCODE updated with safe type also on Item393

Keeping this open. Still working on doc work.

-- KennethLavrsen - 05 Dec 2008

Ah, ok was not able to repro the QUERYSTRING exploit on this twiki. It def was working on a client's 4.1.2

-- MichaelDaum - 05 Dec 2008

Another one: ORIGURL.

Use something like

http://.../login/System/ResetPassword?origurl=/System/ResetPassword%3fusername%3d%22%3cscript%3ealert('3y3%200wn%20j00%20TWIKI')%3c/script%3e%3brefresh%3don

To get a popup.

-- MichaelDaum - 05 Dec 2008

That was cool that you spotted that. I normally test with Apache Login so I had not seen this one at all.

Tracked and fixed on Item405

-- KennethLavrsen - 07 Dec 2008