#717: Generating the current route with additional or changed arguments allows
code injections
----------------------+-----------------------------------------------------
Reporter: david | Owner: david
Type: defect | Status: new
Priority: highest | Milestone: 0.11.1
Component: routing | Version: 0.11.0
Severity: critical | Keywords:
Has_patch: 0 |
----------------------+-----------------------------------------------------
Reproduce:
{{{
$ro->gen(null, array('some' => 'param'));
}}}
And call with:
{{{
/path/to/pub/?foo[bar]="><script>alert('hi');</script>
}}}
This vulnerability only affects calls to {{{WebRouting::gen()}}} where the
same route is generated again, and thus all request parameters are carried
over. Also, the call needs to modify the arguments parameter; a
{{{gen(null);}}} is not affected.
The injection is then possible by using array query parameters, which are
not urlencoded properly, ultimately posing a vector for XSS/CSRF attacks.
This bug only affects the 0.11.1 (and 1.0) series, r2190 and above, not
0.11.0.
A temporary workaround in case you are unable to upgrade your Agavi
installation for whatever reason would be
{{{
htmlspecialchars($ro->gen(null, $moreParams, array('separator' => '&')));
}}}
--
Ticket URL: <http://trac.agavi.org/ticket/717>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
