Roundup Tracker - Issues

Message4410

Author davidben
Recipients davidben
Date 2011-09-04.15:02:20
Message-id <1315148540.86.0.257866476584.issue2550724@psf.upfronthosting.co.za>
In-reply-to
The ok_message parameter is filtered by a regular expression to attempt to restrict the tags. The check isn't strict enough 
and can be bybassed as follows. This leaves the site vulnerable to a cross-site scripting attack and allows an attacker to 
run arbitrary javascript within Roundup's origin.

http://issues.roundup-tracker.org/?@ok_message=%3C%3Cscript%20%3E%3Ealert(42)%3B5%3C%3C%2Fscript%20%3E%3E

(The string is "<<script >>alert(42);5<</script >>")

The regular expression also does not escape an unclosed tag (which gets closed later by stray >s in the page), although 
this is less obviously exploitable.

http://issues.roundup-tracker.org/?@ok_message=%3Cscript%20

It could also be possible to create a link to a javascript: URL and trick the user into clicking it, although the check for links 
in the regular expression doesn't work. '<a href="http://example.com">' gets parsed as a tag named 'a 
href="http://example.com"' because * is greedy. Given that the check evidently doesn't work anyway, it's probably better 
to disallow it altogether and avoid the need for a more complex and error-prone filter.
History
Date User Action Args
2011-09-04 15:02:20davidbensetrecipients: + davidben
2011-09-04 15:02:20davidbensetmessageid: <1315148540.86.0.257866476584.issue2550724@psf.upfronthosting.co.za>
2011-09-04 15:02:20davidbenlinkissue2550724 messages
2011-09-04 15:02:20davidbencreate