Item14377: Error message requires some encoding.
Priority: Security
Current State: Closed
Released In: 2.1.4
Target Release: patch
One of two possible issues reported by:
tim.coen@curesec.com
Reflected XSS
=============
CVSS
----
Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
-----------
The topic parameter of various rest components is vulnerable to reflected XSS.
POC
---
/foswiki/bin/rest/JQueryPlugin/tmpl?topic=<img src=no onerror=alert(1)>&load=edittoolbar
/foswiki/bin/rest/WysiwygPlugin/tml2html?&topic=<img src=no onerror=alert(1)>&text=test
The issue is caused by failing to encode an error message generated by the UI::Rest handler. This issue does
not impact the upcoming Foswiki 2.2, which has implemented a new method of parsing requests.
Any rest handler is vulnerable.
Hotfix:
index 11b0192..b844b9d 100644
--- a/core/lib/Foswiki/UI/Rest.pm
+++ b/core/lib/Foswiki/UI/Rest.pm
@@ -102,7 +102,9 @@ sub rest {
unless ( $topic =~ m/\.|\// ) {
$res->header( -type => 'text/html', -status => '400' );
$err = 'ERROR: (400) Invalid REST invocation'
- . " - Invalid topic parameter $topic\n";
+ . " - Invalid topic parameter: "
+ . Foswiki::entityEncode($topic)
+ . "\n";
$res->print($err);
$session->logger->log( 'warning', "REST rejected: "
Note that either entityEncode or urlEncode can be used. All of the other error messages use url encoding, however entity encode makes for a more readable error.
--
GeorgeClark - 12 Apr 2017