Re: [Pagekit-users] possible XSS vulnerability in pkit_messages

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Boris,

I tested your solution and it works.  I like this fix better than the one I
originally proposed, and I encourage you to roll it into PageKit.

thanks,
shimon.

On 1/7/06, Boris Zentner <bz...@2b...> wrote:
>
> Hi,
>
> I like to share another ( untested ) idea. What about just inherit
> pkit_message in Common.pm?
>
> The advantages are, that it works with TT and H:T. Also your server
> can handle different applications ( and they can do different
> things ). And the escaping can do different things for different
> content_types ie: I do not want &gt; on my pdf's.
>
> # add this to Common.pm
> use HTML::Entities ();
> sub pkit_message {
>    my $model =3D shift;
>    # propably do different escape for different content_types html/
> xml/wml/pdf
>    # whatever
>    $_[0] =3D HTML::Entities::encode_entities( $_[0] );
>    $model->SUPER::pkit_message(@_);
> }
>
> If this is fine for all, I suggest to include a always html escape
> solution in the next pkit release. And everyone can go back to the
> old behavior by removing pkit_messages from Common.pm.
>
> What do you think?
>
>
> Am 06.01.2006 um 16:48 schrieb Shimon Rura:
>
> > Hi pagekit users,
> >
> > A user of my pagekit app suggested there might be a cross-site
> > scripting vulnerability.  The vulnerability is in using the
> > pkit_messages input parameter, which triggers display of a
> > message.  The problem is that:
> >
> > 1. messages are displayed without escaping, so I could put a <b> or
> > even a <script> tag into a message; and
> >
> > 2. pkit_messages is an input parameter, so one could set the
> > message when linking to my pagekit site from another site.
> >
> > That means someone could link to my site and display a message that
> > contains a <script> tag.  They could link to my login form, but add
> > an onsubmit handler to the form that sends user logins and
> > passwords to their server before logging the user into my site.
> > That would be bad.
> >
> > Using HTML::Template, messages are rendered using special pagekit
> > tags, e.g.:
> >
> > <PKIT_MESSAGES>
> >
> >     <p class=3D"message">
> >     <PKIT_IS_ERROR><font color=3D"<PKIT_ERRORSTR>"></PKIT_IS_ERROR>
> >     &#149; <PKIT_MESSAGE>
> >     <PKIT_IS_ERROR></font></PKIT_IS_ERROR>
> >     </p>
> >
> > </PKIT_MESSAGES>
> >
> >
> > The PKIT_MESSAGE tag doesn't accept the ESCAPE=3D"HTML" parameter
> > like MODEL_VAR does.  However I was able to add HTML escaping by
> > changing line 66 in Apache/PageKit/View.pm from:
> >
> >                                MESSAGE      =3D> '<TMPL_VAR
> > NAME=3D"PKIT_MESSAGE">',
> > to
> >                                MESSAGE      =3D> '<TMPL_VAR
> > NAME=3D"PKIT_MESSAGE" ESCAPE=3D"HTML">',
> >
> > Am I right that there is a vulnerabillity?  Is this a useful fix?
> >
> > Thank you,
> > Shimon Rura
>
> --
> Boris
>
>
>
>