XSS in URI attributes in the externalfeed block
Bug #798136 reported by
Teemu Vesala
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Melissa Draper | ||
1.3 |
Fix Released
|
High
|
Melissa Draper |
Bug Description
I have following "Item"-snippet at RSS-feed:
<item>
<title>PS3 and Lara Croft</title>
</item>
When the link is created for RSS-item, guid with javascript: -protocol is left as such. So attacker can create group, link own carefully crafted RSS-feed, load it to one Group page, and when user clicks news item from it, XSS is executed.
CVE References
Changed in mahara: | |
importance: | Undecided → Critical |
milestone: | none → 1.4.1 |
status: | New → Triaged |
importance: | Critical → High |
Changed in mahara: | |
assignee: | nobody → Melissa Draper (melissa) |
Changed in mahara: | |
status: | In Progress → Confirmed |
Changed in mahara: | |
status: | Confirmed → In Progress |
summary: |
- XSS in URI attributes + XSS in URI attributes in the external feed block |
summary: |
- XSS in URI attributes in the external feed block + XSS in URI attributes in the externalfeed block |
Changed in mahara: | |
status: | In Progress → Fix Released |
visibility: | private → public |
To post a comment you must log in.
A quick update on this one. It turns out that the problem could be much larger than just the external feed block: we need to also run the contents of URI attributes through HTML purifier because template auto-escaping doesn't help here.
So what we're going to do is look through the whole codebase looking for "href", "src" and "action" attributes:
- in the Dwoo templates
- in the code where we create HTML by hand
- in the "action" attribute of forms (Pieforms mostly)
Ideally, we should produce these attribute- containing HTML tags in PHP land so that we can push them to the template and pipe them through |clean_html.