You are here: Foswiki>Tasks Web>Item13796 (16 Nov 2015, GeorgeClark)Edit Attach

Item13796: Topics that process URLPARAM input with CALC / CALCULATE macros can be used to inject script tags.

pencil
Priority: Security
Current State: Closed
Released In: 2.0.3
Target Release: patch
Applies To: Engine
Component:
Branches: master
Reported By: JozefMojzis
Waiting For:
Last Change By: GeorgeClark
True remote XSS - not needed to be logged in

-- JozefMojzis - 05 Oct 2015

This is pretty much going to apply to any topic that uses %URLPARAM with the default "safe" encoding. The % based exploit is going to get around safe encoding. I tried adding % to the default encoding, but it broke a lot of stuff. This needs some thought.

-- GeorgeClark - 05 Oct 2015

The solution is to block CALC / CALCULATE macros from emitting < or > from any functions. Per our security procedures, these attacks are considered Severity 3, and are handled through the normal task reporting process. No CVE notification is required.

-- Main.GeorgeClark - 16 Oct 2015 - 02:54

 

ItemTemplate edit

Summary Topics that process URLPARAM input with CALC / CALCULATE macros can be used to inject script tags.
ReportedBy JozefMojzis
Codebase 2.0.2, trunk
SVN Range
AppliesTo Engine
Component
Priority Security
CurrentState Closed
WaitingFor
Checkins distro:e5009a2ede56 distro:54b7aa740f4f distro:7710f98b6e53
TargetRelease patch
ReleasedIn 2.0.3
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:e5009a2ede56 distro:54b7aa740f4f distro:7710f98b6e53
ItemBranchCheckins
Release01x01Checkins
Edit  | Attach | Print version | History: r9 < r8 < r7 < r6 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r9 - 16 Nov 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy