You are here: Foswiki>Tasks Web>Item13796 (16 Nov 2015, GeorgeClark)Edit Attach

Item13796: Topics that process URLPARAM input with CALC / CALCULATE macros can be used to inject script tags.

pencil
Priority: Security
Current State: Closed
Released In: 2.0.3
Target Release: patch
Applies To: Engine
Component:
Branches: master
Reported By: JozefMojzis
Waiting For:
Last Change By: GeorgeClark
True remote XSS - not needed to be logged in

-- JozefMojzis - 05 Oct 2015

This is pretty much going to apply to any topic that uses %URLPARAM with the default "safe" encoding. The % based exploit is going to get around safe encoding. I tried adding % to the default encoding, but it broke a lot of stuff. This needs some thought.

-- GeorgeClark - 05 Oct 2015

The solution is to block CALC / CALCULATE macros from emitting < or > from any functions. Per our security procedures, these attacks are considered Severity 3, and are handled through the normal task reporting process. No CVE notification is required.

-- Main.GeorgeClark - 16 Oct 2015 - 02:54

 

ItemTemplate edit

Summary Topics that process URLPARAM input with CALC / CALCULATE macros can be used to inject script tags.
ReportedBy JozefMojzis
Codebase 2.0.2, trunk
SVN Range
AppliesTo Engine
Component
Priority Security
CurrentState Closed
WaitingFor
Checkins distro:e5009a2ede56 distro:54b7aa740f4f distro:7710f98b6e53
TargetRelease patch
ReleasedIn 2.0.3
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:e5009a2ede56 distro:54b7aa740f4f distro:7710f98b6e53
ItemBranchCheckins
Release01x01Checkins
Topic revision: r9 - 16 Nov 2015, GeorgeClark - This page was cached on 29 May 2016 - 08:06.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License