Foswiki on GitHub is open for business! Next release meeting: Monday September 1, 1300Z

Item375: Eliminate use of URLPARAM in docs so it becomes an XSS trap

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine Documentation Main.KennethLavrsen
A few XSS issues - a few topics needs %URLPARAM% to be used with proper syntax e.g. TWiki.ResetPassword, TWiki.WebSearch needs to be updated for handling URLPARAM encoding in a better way.

This is encoding issue on URL parameters.

This is parallel to TWiki bug TWikibug:Item6137

We will however re-evaluate the fixes one more time

Note that this is a release blocker.

-- KennethLavrsen - 01 Dec 2008

%QUERYSTRING% and %QUERYPARAMS% are vulnerable as well.

_encode() should get a 'safe' & 'none' option as well, defaulting to 'safe'.

-- MichaelDaum - 04 Dec 2008

QUERYSTRING seems safe.

QUERYPARAMS not. Fixed in Item393.

ENCODE updated with safe type also on Item393

Keeping this open. Still working on doc work.

-- KennethLavrsen - 05 Dec 2008

Ah, ok was not able to repro the QUERYSTRING exploit on this twiki. It def was working on a client's 4.1.2

-- MichaelDaum - 05 Dec 2008

Another one: ORIGURL.

Use something like
http://.../login/System/ResetPassword?origurl=/System/ResetPassword%3fusername%3d%22%3cscript%3ealert('3y3%200wn%20j00%20TWIKI')%3c/script%3e%3brefresh%3don

To get a popup.

-- MichaelDaum - 05 Dec 2008

That was cool that you spotted that. I normally test with Apache Login so I had not seen this one at all.

Tracked and fixed on Item405

-- KennethLavrsen - 07 Dec 2008

ItemTemplate edit

Summary Eliminate use of URLPARAM in docs so it becomes an XSS trap
ReportedBy KennethLavrsen
Codebase
SVN Range TWiki-4.2.3, Wed, 06 Aug 2008, build 17396
AppliesTo Engine
Component Documentation
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins Foswikirev:1161 Foswikirev:1180 Foswikirev:1201
TargetRelease patch
ReleasedIn 1.0.0
Topic revision: r12 - 08 Jan 2009, KwangErnLiew
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License