[Pagekit-users] possible XSS vulnerability in pkit_messages

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi pagekit users,

A user of my pagekit app suggested there might be a cross-site scripting
vulnerability.  The vulnerability is in using the pkit_messages input
parameter, which triggers display of a message.  The problem is that:

1. messages are displayed without escaping, so I could put a <b> or even a
<script> tag into a message; and

2. pkit_messages is an input parameter, so one could set the message when
linking to my pagekit site from another site.

That means someone could link to my site and display a message that contain=
s
a <script> tag.  They could link to my login form, but add an onsubmit
handler to the form that sends user logins and passwords to their server
before logging the user into my site.  That would be bad.

Using HTML::Template, messages are rendered using special pagekit tags, e.g
.:

<PKIT_MESSAGES>

    <p class=3D"message">
    <PKIT_IS_ERROR><font color=3D"<PKIT_ERRORSTR>"></PKIT_IS_ERROR>
    &#149; <PKIT_MESSAGE>
    <PKIT_IS_ERROR></font></PKIT_IS_ERROR>
    </p>

</PKIT_MESSAGES>

The PKIT_MESSAGE tag doesn't accept the ESCAPE=3D"HTML" parameter like
MODEL_VAR does.  However I was able to add HTML escaping by changing line 6=
6
in Apache/PageKit/View.pm from:

                               MESSAGE      =3D> '<TMPL_VAR
NAME=3D"PKIT_MESSAGE">',
to
                               MESSAGE      =3D> '<TMPL_VAR
NAME=3D"PKIT_MESSAGE" ESCAPE=3D"HTML">',

Am I right that there is a vulnerabillity?  Is this a useful fix?

Thank you,
Shimon Rura