Re: [Pws] FW: [Swiki-bugs] SWIKI 1.5 Cross-Site Scripting

Wed, 05 Mar 2008 14:27:55 -0800 

(hmm, the auto-reply didn't work on my last message)

the issue goes beyond this.
for this sort of behavior, you can at least turn off things like append unless the person signs in. sure, if you have an open swiki, then they can do what you describe.
for the behavior the bug reporter described, there is no way to stop the behavior. (for a novice swiki administrator). the key thing is that the remote culprit, by putting this in a link on their page, can make it look like the message came from YOUR swiki.
(although in this case it is pretty clear that something is awry because the "not found" message can still be seen, one could probably throw up a div that covers that, or something)
the behavior happens because the "not found" template is putting the raw url back out and when the <script>alert("XXS")</script> is seen by the browser, it executes the script.
we could sanitize the url before putting it back out there to avoid such circumstances. 

are there future patches/releases planned?

hal

On Mar 5, 2008, at 2:50 PM, Guzdial, Mark wrote:





-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] 
Sent: Wed 3/5/2008 4:46 PM
To: Guzdial, Mark
Subject: RE: [Swiki-bugs] SWIKI 1.5 Cross-Site Scripting
It appears to be a vuln in the Swiki software itself, from what I see, every wiki looks to be effected.
The particular one I am looking at is (at a client) is say "XXXXX" so if I goto http://host:8000/XXXXX/1 i'll have the option to create a new entry which posts to 1.append. By inserting javascript into the textbox displayed, the application stores the data without escaping the javascript. Because of this, every time I load the http://host:8000/XXXXX/1 the javascript is executed. 



--

Brad Antoniewicz

(O) 646.728.1493

(C) 347.801.5864

(F) 212.869.6720



_______________________________________________
Pws mailing list
Pws@cc.gatech.edu
https://mailman.cc.gatech.edu/mailman/listinfo/pws



_______________________________________________
Pws mailing list
Pws@cc.gatech.edu
https://mailman.cc.gatech.edu/mailman/listinfo/pws

Reply via email to