Roundup Tracker - Issues

Issue 2550817

classification
Title: XSS issue in user page with sort parameter.
Type: security Severity: critical
Components: User Interface Versions:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: schlatterbeck Nosy List: ber, iwontbecreative, schlatterbeck
Priority: high Keywords:

Created on 2013-07-16 16:28 by iwontbecreative, last changed 2013-12-20 17:31 by schlatterbeck.

Messages
msg4915 Author: [hidden] (iwontbecreative) Date: 2013-07-16 16:28
Original report at : 
http://psf.upfronthosting.co.za/roundup/meta/issue519 about the python 
modifier roundup bugtracker.

This post : http://mail.python.org/pipermail/python-committers/2013-
July/002606.html seems to highlight that this is a roundup security 
issue while this confirms it : http://issues.roundup-tracker.org/user?
@sort=%3Cscript%3Ealert('XSS')%3C/script%3E%3Ch1%3E

XSS issues allow for many things including stealing session cookies. It 
might be worth to read the entire report on the python meta-tracker 
since it shows another issue closely related (also with the sort 
parameter).

Thibault FĂ©vry
msg4916 Author: [hidden] (ber) Date: 2013-07-17 09:55
Thanks for the note. I guess we need to take a look.
msg4975 Author: [hidden] (schlatterbeck) Date: 2013-12-20 17:31
Fixed in commit 24b8011cd2dc.

Note that the bug with sort/group parameters is not in roundup core
currently, that took me a while to find what you mean (roundup currently
doesn't issue an error message when you specify non-existing properties
in sort/group).
But having a 'structure' tag -- which indicates that the template will
not escape the text -- is asking for trouble. So I've reworked that part
and *all* messages (error and ok) are now escaped.

This *needs* a change to the template. So if you apply only the patch to
roundup core you're *more vulnerable than before*. Be sure to apply the
patch to the template, see doc/upgrading.txt.

I've already committed the necessary changes to roundups roundup tracker.
History
Date User Action Args
2013-12-20 17:31:27schlatterbecksetstatus: new -> closed
assignee: schlatterbeck
resolution: fixed
messages: + msg4975
2013-07-17 09:55:05bersetpriority: high
nosy: + schlatterbeck, ber
messages: + msg4916
2013-07-16 16:28:53iwontbecreativecreate