Mahara ePortfolio

XSS in URI attributes in the externalfeed block

Reported by Teemu Vesala on 2011-06-16
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Melissa Draper
1.3
High
Melissa Draper

Bug Description

I have following "Item"-snippet at RSS-feed:

    <item>
        <title>PS3 and Lara Croft</title>
                <pubDate>Wed, 29 Sep 2010 18:44:15 +0300</pubDate>
        <description>Description</description>
        <link>javascript:alert(1)</link>
                <guid>javascript:alert(1)</guid>
                <comments>http://www.example.net/7606/#comments</comments>
    </item>

When the link is created for RSS-item, guid with javascript: -protocol is left as such. So attacker can create group, link own carefully crafted RSS-feed, load it to one Group page, and when user clicks news item from it, XSS is executed.

CVE References

Changed in mahara:
importance: Undecided → Critical
milestone: none → 1.4.1
status: New → Triaged
importance: Critical → High
Melissa Draper (melissa) on 2011-09-29
Changed in mahara:
assignee: nobody → Melissa Draper (melissa)

A quick update on this one. It turns out that the problem could be much larger than just the external feed block: we need to also run the contents of URI attributes through HTML purifier because template auto-escaping doesn't help here.

So what we're going to do is look through the whole codebase looking for "href", "src" and "action" attributes:

- in the Dwoo templates
- in the code where we create HTML by hand
- in the "action" attribute of forms (Pieforms mostly)

Ideally, we should produce these attribute-containing HTML tags in PHP land so that we can push them to the template and pipe them through |clean_html.

summary: - XSS at Group page "External Feed"-component
+ XSS in URI attributes
Changed in mahara:
status: Triaged → In Progress
Changed in mahara:
status: In Progress → Confirmed
Melissa Draper (melissa) wrote :

All these patches work against the associated Stable branches.

Changed in mahara:
status: Confirmed → In Progress
summary: - XSS in URI attributes
+ XSS in URI attributes in the external feed block
summary: - XSS in URI attributes in the external feed block
+ XSS in URI attributes in the externalfeed block
Changed in mahara:
status: In Progress → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers