XSS in URI attributes in the externalfeed block

Bug #798136 reported by Teemu Vesala
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Melissa Draper
1.3
Fix Released
High
Melissa Draper

Bug Description

I have following "Item"-snippet at RSS-feed:

    <item>
        <title>PS3 and Lara Croft</title>
                <pubDate>Wed, 29 Sep 2010 18:44:15 +0300</pubDate>
        <description>Description</description>
        <link>javascript:alert(1)</link>
                <guid>javascript:alert(1)</guid>
                <comments>http://www.example.net/7606/#comments</comments>
    </item>

When the link is created for RSS-item, guid with javascript: -protocol is left as such. So attacker can create group, link own carefully crafted RSS-feed, load it to one Group page, and when user clicks news item from it, XSS is executed.

CVE References

Changed in mahara:
importance: Undecided → Critical
milestone: none → 1.4.1
status: New → Triaged
importance: Critical → High
Melissa Draper (melissa)
Changed in mahara:
assignee: nobody → Melissa Draper (melissa)
Revision history for this message
François Marier (fmarier) wrote : Re: XSS in URI attributes

A quick update on this one. It turns out that the problem could be much larger than just the external feed block: we need to also run the contents of URI attributes through HTML purifier because template auto-escaping doesn't help here.

So what we're going to do is look through the whole codebase looking for "href", "src" and "action" attributes:

- in the Dwoo templates
- in the code where we create HTML by hand
- in the "action" attribute of forms (Pieforms mostly)

Ideally, we should produce these attribute-containing HTML tags in PHP land so that we can push them to the template and pipe them through |clean_html.

summary: - XSS at Group page "External Feed"-component
+ XSS in URI attributes
Changed in mahara:
status: Triaged → In Progress
Changed in mahara:
status: In Progress → Confirmed
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :

All these patches work against the associated Stable branches.

Changed in mahara:
status: Confirmed → In Progress
summary: - XSS in URI attributes
+ XSS in URI attributes in the external feed block
summary: - XSS in URI attributes in the external feed block
+ XSS in URI attributes in the externalfeed block
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.