On Fri, 2012-03-02 at 12:06 -0600, Dave Rolsky wrote: > On Thu, 1 Mar 2012, RS Tech wrote: > > > A client just sent me a web security report for a Mason-based site I > > built for him a while ago (Mason 1.38). The report, which was generated > > by HP WebInspect, complains that form scripts on the site are not > > distinguishing between POST and GET parameters. A summary of the problem > > is provided, explaining that 'collapsing' POST and GET params into a > > single collection exposes the site to XSS and other attacks. > > Basically every web framework in the world does this (at least in the Perl > world). > > You _can_, if you like, distinguish between the two by using the > underlying API (CGI.pm, mod_perl's Apache2::Request, Catalyst::Request). > > I think the issue here is not so much the collapsing the parameters, but > whether you can use a get request to submit a form, for example. > > In other words, does this work ... > > <img src="/bad/action?x=42" />
Thanks for the response, Dave. HP WebInspect locates form element names in POST forms and attempts to insert them via GET. If it can, it generates the error. According to HPWI's auto-generated explanation, this causes a site to be potentially vulnerable to something called a Cross-Site Request Forgery: For anyone interested, here's HPWI's generic description of the issue: HPWI SUMMARY ON POST/GET COLLAPSE Some web frameworks collapse the POST and GET parameters into a single collection. This is a flawed design pattern from a security standpoint. If a page accepts POST parameters as GET parameters an attacker would be able to effect change on websites through Cross-Site Request Forgery or leverage this design flaw with other vulnerabilities to attack the system hosting the web application. /HPWI SUMMARY > The way to avoid this is to make a point of distinguishing between GET and > POST when handling form submissions. > > This issue really isn't specific to Mason, though if you use Mason > exclusively (as opposed to as part of Catalyst/Dancer/etc) you'll get no > help in handling this. With Catalyst and Catalyst::Action::REST, it's > trivial to designate controller actions that can only be reached via POST. > > In other words, dispatching can be done based on a combination of URI and > HTTP method, rather than just the URI. > > You can fake this in Mason with something like this ... > > <%init> > dont_accept_request() unless $r->method eq 'POST'; > > handle_form_submission(); > </%init> The same occurred to me after mailing to the list -- placed a routine at the top of init in affected scripts to do essentially as you say: unless method = POST, redirect to error page. This satisfies the mindless vulnerability checker and does add a degree of control to the form handling. > Just make sure that every form handling component goes through this logic > (an autohandler is your friend). Thanks -- yes, will put routine into an autohandler over the weekend. > But I'll say for the millionth time, I think something like Catalyst is > much better for the controller/dispatch side of things, and this is one > reason among many. I agree with you that Catalyst (et al) is a better solution for control/dispatch -- and if I was building the site today I'd likely opt for same. > -dave > > /*============================================================ > http://VegGuide.org http://blog.urth.org > Your guide to all that's veg House Absolute(ly Pointless) > ============================================================*/ > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Mason-users mailing list > Mason-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mason-users ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
