You are here: Foswiki>Tasks Web>Item14125 (18 Feb 2017, GeorgeClark)Edit Attach

Item14125: "Start Presentation" button needs further sanitization.

pencil
Priority: Security
Current State: Closed
Released In: 2.1.3
Target Release: patch
Applies To: Extension
Component: SlideShowPlugin
Branches: Release02x01 master Item13897 Item14152
Reported By: MichaelDaum
Waiting For: MichaelDaum
Last Change By: GeorgeClark
Flollow this link https://foswiki.org/System/BeginnersStartHere?%27onmouseover=%27confirm()%27 and hover over the "Start presentation" button. This will execute provided javascript code immediately.

Confirmed on Firefox. Chrome prints an XSS alert message on the console and displays a white page.

Reported by WhiteHat Security (VULN ID - 50376672)

Inspecting the plugin shows that it adds the query string unchecked to the markup.

Hotfix for 2.x

--- a/SlideShowPlugin/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
+++ b/SlideShowPlugin/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
@@ -34,15 +34,14 @@ sub init {
     $this->{params} = \%params;
 
     my $request = Foswiki::Func::getRequestObject();
-    $this->{queryString} = $request->queryString;
 
     my @params;
     foreach my $name ( $request->multi_param ) {
         next if $name =~ /\b(slideshow|cover)\b/;
 
-        my $key = _urlEncode($name);
+        my $key = Foswiki::urlEncode($name);
         push @params,
-          map { $key . "=" . _urlEncode( defined $_ ? $_ : '' ) }
+          map { $key . "=" . Foswiki::urlEncode( defined $_ ? $_ : '' ) }
           scalar( $request->param($name) );
     }

Hotfix for 1.1.9:

--- a/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
+++ b/lib/Foswiki/Plugins/SlideShowPlugin/SlideShow.pm
@@ -34,7 +34,6 @@ sub init {
     $this->{params} = \%params;
 
     my $request = Foswiki::Func::getRequestObject();
-    $this->{queryString} = $request->queryString;
 
     my @params;
     foreach my $name ( $request->multi_param ) {
@@ -285,7 +284,7 @@ sub _htmlAlert {
 
 sub _urlEncode {
     my $text = shift;
-    $text =~ s/([^0-9a-zA-Z-_.:~!*'()\/%])/'%'.sprintf('%02x',ord($1))/ge;
+    $text =~ s{([^0-9a-zA-Z-_.:~!*/])}{sprintf('%%%02x',ord($1))}ge;
     $text =~ s/\%20/+/g;
     return $text;
 }

-- MichaelDaum - 31 Jul 2016

 
Topic revision: r7 - 18 Feb 2017, GeorgeClark - This page was cached on 23 Nov 2017 - 01:37.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License