Bug#493372: Bug#493579: upstream patch for XSS

Sat, 09 Aug 2008 03:08:02 -0700 

Hi Steffen,
* Steffen Joeris <[EMAIL PROTECTED]> [2008-08-09 11:21]:
> On Sat, 9 Aug 2008 01:09:49 pm Steffen Joeris wrote:
> > > > But if the maintainer fixes the #493372 they will also fix this bug
> > > > within the upstream patch, I think, and so it's not very important to
> > > > discuss it anymore, because it's just a XSS issue which isn't an very
> > > > hard bug :)
> > >
> > > I don't think this is the case. The patch in 493372 does
> > > only escape ingle quote ('), double quote ("), backslash (\)
> > > and NUL on registration, the XSS should be still possible.
> >
> > Now he added a check for an empty line as well. Updated patch is attached.
> > I am not sure what you can all insert in a query, can you think of
> > scenarios? For the XSS in this bug, he checks for JavaScript as described
> > here http://www.datensalat.eu/~fabian/cve/CVE-2008-3100-Owl.html
> For the XSS, upstream's patch didn't check for other tags, like html for 
> example.
> After a short discussion, he changed it to use strip_tags(). I've tested it 
> with html, php, script, and it seems to strip them away. Not sure, if it 
> detects all though :/, but it is certainly better than just checking for 
> script :)
[...] 
> --- old/owl-dms-0.95/lib/owl.lib.php  2007-10-07 13:42:37.000000000 +0000
> +++ owl-dms-0.95/lib/owl.lib.php      2008-08-09 06:04:47.000000000 +0000
> @@ -70,6 +70,8 @@
>     } 
>  } 
>  
> +$username = strip_tags($username);
> +

Why not just doing it the standard way using 
htmlspecialchars(), that's what it's for. Or even use a sane 
solution and only allow usernames from a certain charset.

I am not sure cause I am not websecurity expert bug the above way for
example could have a problem with <SCR\0IPT> or multiline 
injected JavaScript with ASCII carriage return because php 
could possibly not detect this as a tag?! I am not sure 
about this but I think restricting the usernames to a 
charset and using htmlspecialchars() should be the best solution.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpUCnuK48S8t.pgp
Description: PGP signature

Reply via email to