Message4410
The ok_message parameter is filtered by a regular expression to attempt to restrict the tags. The check isn't strict enough
and can be bybassed as follows. This leaves the site vulnerable to a cross-site scripting attack and allows an attacker to
run arbitrary javascript within Roundup's origin.
http://issues.roundup-tracker.org/?@ok_message=%3C%3Cscript%20%3E%3Ealert(42)%3B5%3C%3C%2Fscript%20%3E%3E
(The string is "<<script >>alert(42);5<</script >>")
The regular expression also does not escape an unclosed tag (which gets closed later by stray >s in the page), although
this is less obviously exploitable.
http://issues.roundup-tracker.org/?@ok_message=%3Cscript%20
It could also be possible to create a link to a javascript: URL and trick the user into clicking it, although the check for links
in the regular expression doesn't work. '<a href="http://example.com">' gets parsed as a tag named 'a
href="http://example.com"' because * is greedy. Given that the check evidently doesn't work anyway, it's probably better
to disallow it altogether and avoid the need for a more complex and error-prone filter. |
|
Date |
User |
Action |
Args |
2011-09-04 15:02:20 | davidben | set | recipients:
+ davidben |
2011-09-04 15:02:20 | davidben | set | messageid: <1315148540.86.0.257866476584.issue2550724@psf.upfronthosting.co.za> |
2011-09-04 15:02:20 | davidben | link | issue2550724 messages |
2011-09-04 15:02:20 | davidben | create | |
|