Mahara

Links & resources urls are unsanitised

Bug #1009774 reported by Richard Mansfield on 2012-06-06

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	High	Melissa Draper	Mahara 1.4.3

Bug Description

Discovered by Emanuel Bronshtein. Present in all versions, requires an admin account.

Configure site -> Menus -> Add External Link:
http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/site/menu.php
Add new Link:
Name: XSS
Linked to: javascript:alert(location)
click "Add".
...
fix: Allow only whitelisted protocols (http,https,mailto).

The sanitize_url function should be used for this.

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2012-06-11:

Using sanitize_url() fixes the problem, but breaks links if used as-is, because it removes anything without an explicit protocol, or anything not in (http, https, ftp).

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2012-06-19:

master and 1.5 Edit (1.6 KiB, text/plain)

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2012-06-19:

1.4 Edit (1.6 KiB, text/plain)

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2012-06-19:

1.2 Edit (1.7 KiB, text/plain)

Revision history for this message

Melissa Draper (melissa) wrote on 2012-07-31:

The final patch for this is at https://reviews.mahara.org/#/c/1451/

security vulnerability:	yes → no
visibility:	private → public
Changed in mahara:
assignee:	nobody → Melissa Draper (melissa)
status:	Confirmed → Fix Released

Melissa Draper (melissa) on 2012-07-31

security vulnerability:

no → yes

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2012-07-31: A change has been merged

Reviewed: https://reviews.mahara.org/1460
Committed: http://gitorious.org/mahara/mahara/commit/e47eea0381645be217c516a43411e4998e70c404
Submitter: Hugh Davenport (<email address hidden>)
Branch: master

commit e47eea0381645be217c516a43411e4998e70c404
Author: Melissa Draper <email address hidden>
Date: Mon Jul 9 14:25:03 2012 +1200

Sanitize links in links and resources menu (bug #1009774)

    Links placed in the links and resources list have not been getting
    checked and so have been displayed unfiltered to users and other
    admins. These user-supplied links are now checked with sanitize_url
    which has been extended to convert relative links to absolute.

Change-Id: I679627c4e33621df82705c39e77e7226ffef5a97
Signed-off-by: Melissa Draper <email address hidden>

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.