Roundup Tracker - Issues


Author davidben
Recipients davidben
Date 2011-09-04.15:02:20
Message-id <>
The ok_message parameter is filtered by a regular expression to attempt to restrict the tags. The check isn't strict enough 
and can be bybassed as follows. This leaves the site vulnerable to a cross-site scripting attack and allows an attacker to 
run arbitrary javascript within Roundup's origin.

(The string is "<<script >>alert(42);5<</script >>")

The regular expression also does not escape an unclosed tag (which gets closed later by stray >s in the page), although 
this is less obviously exploitable.

It could also be possible to create a link to a javascript: URL and trick the user into clicking it, although the check for links 
in the regular expression doesn't work. '<a href="">' gets parsed as a tag named 'a 
href=""' because * is greedy. Given that the check evidently doesn't work anyway, it's probably better 
to disallow it altogether and avoid the need for a more complex and error-prone filter.
Date User Action Args
2011-09-04 15:02:20davidbensetrecipients: + davidben
2011-09-04 15:02:20davidbensetmessageid: <>
2011-09-04 15:02:20davidbenlinkissue2550724 messages
2011-09-04 15:02:20davidbencreate