Kyle Snavely created COUCHDB-2232:
-------------------------------------
Summary: Escape HTML when rendering XSS targets
Key: COUCHDB-2232
URL: https://issues.apache.org/jira/browse/COUCHDB-2232
Project: CouchDB
Issue Type: Bug
Security Level: public (Regular issues)
Components: Fauxton
Reporter: Kyle Snavely
XSS payloads such as '\"><img src=%3Dx onerror%3Dprompt(%2Fxss%2F)>' can be
used with malicious intent in documents.
When rendered unescaped in Fauxton the JS is executed. To reproduce, use the
above string as a new document ID in Fauxton.
This affects the _id field of documents, normal, ddoc, replicator docs...
Other rendered data may be affected. I noticed I can create couch users with
the above string as a name.
I have a branch with basic fixes, using <%- in place of <%= where appropriate
in templates. I'm still getting my Fauxton dev stack set back up so I haven't
yet run the tests or inspected things locally.
I am not familiar with the codebase but I'd like to point out the possible sore
spots. Branch notes:
- https://github.com/ksnavely/couchdb/compare/30460-XSS-substitutions
- I tried to not be super heavy handed, only using <%- for values that
could be set with XSS payloads or otherwise come from a user/data.
- There are a few spots where I wasn't sure:
-- src/fauxton/app/addons/config/templates/item.html
-- src/fauxton/app/addons/documents/templates/changes.html
- Perhaps safeURLName can escape on <, > as well?
--https://github.com/apache/couchdb-fauxton/blob/4ab2cde647b7712e262f8e4567ae835deff66a8c/app/core/utils.js#L85
I'll do another run through looking for '<%=' and updating as appropriate.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
