Links & resources urls are unsanitised

Bug #1009774 reported by Richard Mansfield
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Melissa Draper

Bug Description

Discovered by Emanuel Bronshtein. Present in all versions, requires an admin account.

 Configure site -> Menus -> Add External Link:
 http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/site/menu.php
 Add new Link:
 Name: XSS
 Linked to: javascript:alert(location)
 click "Add".
 ...
 fix: Allow only whitelisted protocols (http,https,mailto).

The sanitize_url function should be used for this.

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Using sanitize_url() fixes the problem, but breaks links if used as-is, because it removes anything without an explicit protocol, or anything not in (http, https, ftp).

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :

The final patch for this is at https://reviews.mahara.org/#/c/1451/

security vulnerability: yes → no
visibility: private → public
Changed in mahara:
assignee: nobody → Melissa Draper (melissa)
status: Confirmed → Fix Released
Melissa Draper (melissa)
security vulnerability: no → yes
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/1460
Committed: http://gitorious.org/mahara/mahara/commit/e47eea0381645be217c516a43411e4998e70c404
Submitter: Hugh Davenport (<email address hidden>)
Branch: master

commit e47eea0381645be217c516a43411e4998e70c404
Author: Melissa Draper <email address hidden>
Date: Mon Jul 9 14:25:03 2012 +1200

    Sanitize links in links and resources menu (bug #1009774)

    Links placed in the links and resources list have not been getting
    checked and so have been displayed unfiltered to users and other
    admins. These user-supplied links are now checked with sanitize_url
    which has been extended to convert relative links to absolute.

    Change-Id: I679627c4e33621df82705c39e77e7226ffef5a97
    Signed-off-by: Melissa Draper <email address hidden>

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.