By sending a mail containing some well formated code, Session Hijacking is possible. As this Issue is really serios, I will inform Tim Gerundt and send Details by email directly.
Details will be given, as soon as this security Issue is fixed.
Patch for removing XSS Vulnerability with htmlpurifier
I wrote a Patch adressing this vulnerability. It depends on htmlpurifier which can be downloaded from http://htmlpurifier.org/releases/htmlpurifier-4.4.0.zip
1. Directory "library/HTMLPurifier" (and subdirectories) out from the htmlpurifier-4.4.0.zip File has to be inserted into the nocc-webmailer Directory
2. Take the patched action.php out of my ZIP File patch.zip and overwrite the original one from nocc
3. Take the patched functions.php out of my ZIP File patch.zip and overwrite the original one (located in folder utils).
The unpatched Versions (extension ".original") are included too, so that you can check my changes making a diff.
Thank you very much for the bug report and the patch!!!
Since the HTMLPurifier source code is larger then NOCC itself, I searched for an alternative and found htmLawed: http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
It works in my tests too and the it is only a single file with 47 kb. I commited the changes to SVN: http://nocc.svn.sourceforge.net/viewvc/nocc?view=revision&revision=2551
Works in my tests too. Looks fine.
I release NOCC 1.9.3 at the weekend, which include the fix: http://nocc.sourceforge.net/download/
Fixed in SVN.
It'll be included in next release.
But you can download daily snapshots at : http://nocc.sourceforge.net/download/
Thanks for the bug report.
Log in to post a comment.
Patch for removing XSS Vulnerability with htmlpurifier
I wrote a Patch adressing this vulnerability.
It depends on htmlpurifier which can be downloaded from http://htmlpurifier.org/releases/htmlpurifier-4.4.0.zip
1. Directory "library/HTMLPurifier" (and subdirectories) out from the htmlpurifier-4.4.0.zip File has to be inserted into the nocc-webmailer Directory
2. Take the patched action.php out of my ZIP File patch.zip and overwrite the original one from nocc
3. Take the patched functions.php out of my ZIP File patch.zip and overwrite the original one (located in folder utils).
The unpatched Versions (extension ".original") are included too, so that you can check my changes making a diff.
Thank you very much for the bug report and the patch!!!
Since the HTMLPurifier source code is larger then NOCC itself, I searched for an alternative and found htmLawed:
http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
It works in my tests too and the it is only a single file with 47 kb. I commited the changes to SVN:
http://nocc.svn.sourceforge.net/viewvc/nocc?view=revision&revision=2551
Works in my tests too.
Looks fine.
I release NOCC 1.9.3 at the weekend, which include the fix:
http://nocc.sourceforge.net/download/
Fixed in SVN.
It'll be included in next release.
But you can download daily snapshots at :
http://nocc.sourceforge.net/download/
Thanks for the bug report.