Foswiki General Assembly will be held on 12th December 2019, 1200 UTC on Freenode IRC channel #foswiki-association. See AgendaTenthGeneralAssembly
You are here: Foswiki>Tasks Web>Item13796 (16 Nov 2015, GeorgeClark)Edit Attach

Item13796: Topics that process URLPARAM input with CALC / CALCULATE macros can be used to inject script tags.

Priority: Security
Current State: Closed
Released In: 2.0.3
Target Release: patch
Applies To: Engine
Branches: master
Reported By: JozefMojzis
Waiting For:
Last Change By: GeorgeClark
True remote XSS - not needed to be logged in

-- JozefMojzis - 05 Oct 2015

This is pretty much going to apply to any topic that uses %URLPARAM with the default "safe" encoding. The % based exploit is going to get around safe encoding. I tried adding % to the default encoding, but it broke a lot of stuff. This needs some thought.

-- GeorgeClark - 05 Oct 2015

The solution is to block CALC / CALCULATE macros from emitting < or > from any functions. Per our security procedures, these attacks are considered Severity 3, and are handled through the normal task reporting process. No CVE notification is required.

-- Main.GeorgeClark - 16 Oct 2015 - 02:54


ItemTemplate edit

Summary Topics that process URLPARAM input with CALC / CALCULATE macros can be used to inject script tags.
ReportedBy JozefMojzis
Codebase 2.0.2, trunk
SVN Range
AppliesTo Engine
Priority Security
CurrentState Closed
Checkins distro:e5009a2ede56 distro:54b7aa740f4f distro:7710f98b6e53
TargetRelease patch
ReleasedIn 2.0.3
CheckinsOnBranches master
masterCheckins distro:e5009a2ede56 distro:54b7aa740f4f distro:7710f98b6e53
Topic revision: r9 - 16 Nov 2015, GeorgeClark - This page was cached on 03 Dec 2019 - 00:33.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy