Mahara

Logged-in user's name unescaped in top right header

Bug #1009777 reported by Richard Mansfield
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Richard Mansfield
Mahara 1.5.2

Bug Description

Discovered by Emanuel Bronshtein. Present in 1.5

 By Changing "Display name" in Content->Profile:
 http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/artefact/internal/
 to:
 XSS<script>alert(1)</script>
 then click "Save profile".
 javascript code executed on every request to mahara pages when the user log-in to the system.
 (unfiltered HTML printed near "Settings" in top of the page)
---

I think the display_default_name function should be added as a dwoo plugin, along the lines of display_name (see htdocs/lib/dwoo/mahara/plugins/function.display_name.php); other calls to display_default_name in templates should be modified to avoid double-escaping.

In the long term perhaps we should reconsider the policy for calls to php functions in the dwoo templates - I believe the policy can be changed to disallow calls to arbitrary php functions, or to escape the output from them, but a change like that would require testing all our templates, and lots of work for 3rd party plugins & themes.

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :

Patch for master. You may need to remove dwoo/cache and dwoo/compile from dataroot before this takes effect.

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
Melissa Draper (melissa)
Changed in mahara:
status: Confirmed → Won't Fix
status: Won't Fix → Fix Released
assignee: nobody → Richard Mansfield (richard-mansfield)
visibility: private → public
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/1457
Committed: http://gitorious.org/mahara/mahara/commit/47e3906d6791b93b7eaf1d6500828924b10b2bb6
Submitter: Hugh Davenport (<email address hidden>)
Branch: master

commit 47e3906d6791b93b7eaf1d6500828924b10b2bb6
Author: Richard Mansfield <email address hidden>
Date: Mon Jun 11 17:16:37 2012 +1200

    Add display_default_name dwoo plugin (bug #1009777)

    This just html escapes the output of display_default_name. Existing
    calls are modified to avoid double escaping.

    Change-Id: I117a748a4d4cdb3313377f3441bbd20567a88fcb
    Signed-off-by: Richard Mansfield <email address hidden>

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.