Priority: Security
Current State: Closed
Released In: 2.1.3
Target Release: patch
Flollow this link
https://foswiki.org/System/BeginnersStartHere?%27onmouseover=%27confirm()%27 and hover over the "Start presentation" button.
This will execute provided javascript code immediately.
Confirmed on Firefox. Chrome prints an XSS alert message on the console and displays a white page.
Reported by
WhiteHat Security (VULN ID - 50376672)
Inspecting the plugin shows that it adds the query string unchecked to the markup.
Hotfix for 2.x
--- a/SlideShowPlugin/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
+++ b/SlideShowPlugin/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
@@ -34,15 +34,14 @@ sub init {
$this->{params} = \%params;
my $request = Foswiki::Func::getRequestObject();
- $this->{queryString} = $request->queryString;
my @params;
foreach my $name ( $request->multi_param ) {
next if $name =~ /\b(slideshow|cover)\b/;
- my $key = _urlEncode($name);
+ my $key = Foswiki::urlEncode($name);
push @params,
- map { $key . "=" . _urlEncode( defined $_ ? $_ : '' ) }
+ map { $key . "=" . Foswiki::urlEncode( defined $_ ? $_ : '' ) }
scalar( $request->param($name) );
}
Hotfix for 1.1.9:
--- a/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
+++ b/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
@@ -34,7 +34,6 @@ sub init {
$this->{params} = \%params;
my $request = Foswiki::Func::getRequestObject();
- $this->{queryString} = $request->queryString;
my @params;
foreach my $name ( $request->multi_param ) {
@@ -285,7 +284,7 @@ sub _htmlAlert {
sub _urlEncode {
my $text = shift;
- $text =~ s/([^0-9a-zA-Z-_.:~!*'()\/%])/'%'.sprintf('%02x',ord($1))/ge;
+ $text =~ s{([^0-9a-zA-Z-_.:~!*/])}{sprintf('%%%02x',ord($1))}ge;
$text =~ s/\%20/+/g;
return $text;
}
--
MichaelDaum - 31 Jul 2016