Reviewed: https://reviews.mahara.org/1459 Committed: http://gitorious.org/mahara/mahara/commit/c24ccb84d79a5032cf58adaed401fd6399018d95 Submitter: Hugh Davenport ([email protected]) Branch: master
commit c24ccb84d79a5032cf58adaed401fd6399018d95 Author: Richard Mansfield <[email protected]> Date: Fri Jun 8 11:29:16 2012 +1200 Json-encode login form when injected by js (bug #1009784) Change-Id: Ia81053332cfa9e0f79268031795af8d34b45ff78 Signed-off-by: Richard Mansfield <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1009784 Title: Javascript login form includes unencoded parameters Status in Mahara ePortfolio: Fix Released Bug description: Discovered by Emanuel Bronshtein, present in all versions. parameters from URI are passed to javascript innerHTML without proper encoding, it possible to use some encoding inside javascript strings, as: \x22\x3E = "> \u0022\u003E = "> by using this encoding it possible to trigger XSS. Payload: "><h1>XSS</h1><img src=9 onerror=alert("XSS")> = \x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E XSS Example: http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/users/changeuser.php?xss=\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/users/bulk.php?xss=\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E --- When a logged-out user tries to access a page that requires them to be logged in, a login form is generated, all get parameters are added to the form's action attribute & all post parameters are added as hidden elements inside the form. The login form is then inserted into the dom using innerHTML. This is for convenience, to let the user continue whatever it was they were trying to do if, for example, their session expired. I think it may be enough to url encode each query parameter name & value in the action url before generating the form, but haven't tested this yet. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1009784/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
