Re: [Pagekit-users] possible XSS vulnerability in pkit_messages

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I like to share another ( untested ) idea. What about just inherit  
pkit_message in Common.pm?

The advantages are, that it works with TT and H:T. Also your server  
can handle different applications ( and they can do different  
things ). And the escaping can do different things for different  
content_types ie: I do not want &gt; on my pdf's.

# add this to Common.pm
use HTML::Entities ();
sub pkit_message {
   my $model = shift;
   # propably do different escape for different content_types html/ 
xml/wml/pdf
   # whatever
   $_[0] = HTML::Entities::encode_entities( $_[0] );
   $model->SUPER::pkit_message(@_);
}

If this is fine for all, I suggest to include a always html escape  
solution in the next pkit release. And everyone can go back to the  
old behavior by removing pkit_messages from Common.pm.

What do you think?

Am 06.01.2006 um 16:48 schrieb Shimon Rura:

> Hi pagekit users,
>
> A user of my pagekit app suggested there might be a cross-site  
> scripting vulnerability.  The vulnerability is in using the  
> pkit_messages input parameter, which triggers display of a  
> message.  The problem is that:
>
> 1. messages are displayed without escaping, so I could put a <b> or  
> even a <script> tag into a message; and
>
> 2. pkit_messages is an input parameter, so one could set the  
> message when linking to my pagekit site from another site.
>
> That means someone could link to my site and display a message that  
> contains a <script> tag.  They could link to my login form, but add  
> an onsubmit handler to the form that sends user logins and  
> passwords to their server before logging the user into my site.   
> That would be bad.
>
> Using HTML::Template, messages are rendered using special pagekit  
> tags, e.g.:
>
> <PKIT_MESSAGES>
>
>     <p class="message">
>     <PKIT_IS_ERROR><font color="<PKIT_ERRORSTR>"></PKIT_IS_ERROR>
>     &#149; <PKIT_MESSAGE>
>     <PKIT_IS_ERROR></font></PKIT_IS_ERROR>
>     </p>
>
> </PKIT_MESSAGES>
>
>
> The PKIT_MESSAGE tag doesn't accept the ESCAPE="HTML" parameter  
> like MODEL_VAR does.  However I was able to add HTML escaping by  
> changing line 66 in Apache/PageKit/View.pm from:
>
>                                MESSAGE      => '<TMPL_VAR  
> NAME="PKIT_MESSAGE">',
> to
>                                MESSAGE      => '<TMPL_VAR  
> NAME="PKIT_MESSAGE" ESCAPE="HTML">',
>
> Am I right that there is a vulnerabillity?  Is this a useful fix?
>
> Thank you,
> Shimon Rura

--
Boris