Item14377: Error message requires some encoding.

One of two possible issues reported by: tim.coen@curesec.com

Reflected XSS
=============

    CVSS
    ----

        Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Description
    -----------

        The topic parameter of various rest components is vulnerable to reflected XSS.

    POC
    ---

        /foswiki/bin/rest/JQueryPlugin/tmpl?topic=<img src=no onerror=alert(1)>&load=edittoolbar
        /foswiki/bin/rest/WysiwygPlugin/tml2html?&topic=<img src=no onerror=alert(1)>&text=test

The issue is caused by failing to encode an error message generated by the UI::Rest handler. This issue does not impact the upcoming Foswiki 2.2, which has implemented a new method of parsing requests.

Any rest handler is vulnerable.

Hotfix:

index 11b0192..b844b9d 100644
--- a/core/lib/Foswiki/UI/Rest.pm
+++ b/core/lib/Foswiki/UI/Rest.pm
@@ -102,7 +102,9 @@ sub rest {
         unless ( $topic =~ m/\.|\// ) {
             $res->header( -type => 'text/html', -status => '400' );
             $err = 'ERROR: (400) Invalid REST invocation'
-              . " - Invalid topic parameter $topic\n";
+              . " - Invalid topic parameter: "
+              . Foswiki::entityEncode($topic)
+              . "\n";
             $res->print($err);
             $session->logger->log( 'warning', "REST rejected: "

Note that either entityEncode or urlEncode can be used. All of the other error messages use url encoding, however entity encode makes for a more readable error.

-- GeorgeClark - 12 Apr 2017

Commenting is disabled while not logged in