You are here: Foswiki>Tasks Web>Item375 (08 Jan 2009, KwangErnLiew)Edit Attach

Item375: Eliminate use of URLPARAM in docs so it becomes an XSS trap

Priority: Urgent
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Component: Documentation
Reported By: KennethLavrsen
Waiting For: Main.KennethLavrsen
Last Change By: KwangErnLiew
A few XSS issues - a few topics needs %URLPARAM% to be used with proper syntax e.g. TWiki.ResetPassword, TWiki.WebSearch needs to be updated for handling URLPARAM encoding in a better way.

This is encoding issue on URL parameters.

This is parallel to TWiki bug TWikibug:Item6137

We will however re-evaluate the fixes one more time

Note that this is a release blocker.

-- KennethLavrsen - 01 Dec 2008

%QUERYSTRING% and %QUERYPARAMS% are vulnerable as well.

_encode() should get a 'safe' & 'none' option as well, defaulting to 'safe'.

-- MichaelDaum - 04 Dec 2008

QUERYSTRING seems safe.

QUERYPARAMS not. Fixed in Item393.

ENCODE updated with safe type also on Item393

Keeping this open. Still working on doc work.

-- KennethLavrsen - 05 Dec 2008

Ah, ok was not able to repro the QUERYSTRING exploit on this twiki. It def was working on a client's 4.1.2

-- MichaelDaum - 05 Dec 2008

Another one: ORIGURL.

Use something like

To get a popup.

-- MichaelDaum - 05 Dec 2008

That was cool that you spotted that. I normally test with Apache Login so I had not seen this one at all.

Tracked and fixed on Item405

-- KennethLavrsen - 07 Dec 2008

ItemTemplate edit

Summary Eliminate use of URLPARAM in docs so it becomes an XSS trap
ReportedBy KennethLavrsen
SVN Range TWiki-4.2.3, Wed, 06 Aug 2008, build 17396
AppliesTo Engine
Component Documentation
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins distro:093d090d3423 distro:de76e575f0c9 distro:d6ce1b5c4c84 RevCommentPlugin:a73b8cdd5635
TargetRelease patch
ReleasedIn 1.0.0
Topic revision: r12 - 08 Jan 2009, KwangErnLiew - This page was cached on 16 Sep 2021 - 15:37.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy