pagekit-users

[Pagekit-users] possible XSS vulnerability in pkit_messages

[Shimon R. <sh...@ru...>]

Hi pagekit users,

A user of my pagekit app suggested there might be a cross-site scripting
vulnerability.  The vulnerability is in using the pkit_messages input
parameter, which triggers display of a message.  The problem is that:

1. messages are displayed without escaping, so I could put a <b> or even a
<script> tag into a message; and

2. pkit_messages is an input parameter, so one could set the message when
linking to my pagekit site from another site.

That means someone could link to my site and display a message that contain=
s
a <script> tag.  They could link to my login form, but add an onsubmit
handler to the form that sends user logins and passwords to their server
before logging the user into my site.  That would be bad.

Using HTML::Template, messages are rendered using special pagekit tags, e.g
.:

<PKIT_MESSAGES>

    <p class=3D"message">
    <PKIT_IS_ERROR><font color=3D"<PKIT_ERRORSTR>"></PKIT_IS_ERROR>
    &#149; <PKIT_MESSAGE>
    <PKIT_IS_ERROR></font></PKIT_IS_ERROR>
    </p>

</PKIT_MESSAGES>


The PKIT_MESSAGE tag doesn't accept the ESCAPE=3D"HTML" parameter like
MODEL_VAR does.  However I was able to add HTML escaping by changing line 6=
6
in Apache/PageKit/View.pm from:

                               MESSAGE      =3D> '<TMPL_VAR
NAME=3D"PKIT_MESSAGE">',
to
                               MESSAGE      =3D> '<TMPL_VAR
NAME=3D"PKIT_MESSAGE" ESCAPE=3D"HTML">',

Am I right that there is a vulnerabillity?  Is this a useful fix?

Thank you,
Shimon Rura

Re: [Pagekit-users] possible XSS vulnerability in pkit_messages

[Boris Z. <bz...@2b...>]

Hi,

I like to share another ( untested ) idea. What about just inherit  
pkit_message in Common.pm?

The advantages are, that it works with TT and H:T. Also your server  
can handle different applications ( and they can do different  
things ). And the escaping can do different things for different  
content_types ie: I do not want > on my pdf's.

# add this to Common.pm
use HTML::Entities ();
sub pkit_message {
   my $model = shift;
   # propably do different escape for different content_types html/ 
xml/wml/pdf
   # whatever
   $_[0] = HTML::Entities::encode_entities( $_[0] );
   $model->SUPER::pkit_message(@_);
}

If this is fine for all, I suggest to include a always html escape  
solution in the next pkit release. And everyone can go back to the  
old behavior by removing pkit_messages from Common.pm.

What do you think?


Am 06.01.2006 um 16:48 schrieb Shimon Rura:

> Hi pagekit users,
>
> A user of my pagekit app suggested there might be a cross-site  
> scripting vulnerability.  The vulnerability is in using the  
> pkit_messages input parameter, which triggers display of a  
> message.  The problem is that:
>
> 1. messages are displayed without escaping, so I could put a <b> or  
> even a <script> tag into a message; and
>
> 2. pkit_messages is an input parameter, so one could set the  
> message when linking to my pagekit site from another site.
>
> That means someone could link to my site and display a message that  
> contains a <script> tag.  They could link to my login form, but add  
> an onsubmit handler to the form that sends user logins and  
> passwords to their server before logging the user into my site.   
> That would be bad.
>
> Using HTML::Template, messages are rendered using special pagekit  
> tags, e.g.:
>
> <PKIT_MESSAGES>
>
>     <p class="message">
>     <PKIT_IS_ERROR><font color="<PKIT_ERRORSTR>"></PKIT_IS_ERROR>
>     &#149; <PKIT_MESSAGE>
>     <PKIT_IS_ERROR></font></PKIT_IS_ERROR>
>     </p>
>
> </PKIT_MESSAGES>
>
>
> The PKIT_MESSAGE tag doesn't accept the ESCAPE="HTML" parameter  
> like MODEL_VAR does.  However I was able to add HTML escaping by  
> changing line 66 in Apache/PageKit/View.pm from:
>
>                                MESSAGE      => '<TMPL_VAR  
> NAME="PKIT_MESSAGE">',
> to
>                                MESSAGE      => '<TMPL_VAR  
> NAME="PKIT_MESSAGE" ESCAPE="HTML">',
>
> Am I right that there is a vulnerabillity?  Is this a useful fix?
>
> Thank you,
> Shimon Rura

--
Boris

Re: [Pagekit-users] possible XSS vulnerability in pkit_messages

[Shimon R. <sh...@ru...>]

Boris,

I tested your solution and it works.  I like this fix better than the one I
originally proposed, and I encourage you to roll it into PageKit.

thanks,
shimon.

On 1/7/06, Boris Zentner <bz...@2b...> wrote:
>
> Hi,
>
> I like to share another ( untested ) idea. What about just inherit
> pkit_message in Common.pm?
>
> The advantages are, that it works with TT and H:T. Also your server
> can handle different applications ( and they can do different
> things ). And the escaping can do different things for different
> content_types ie: I do not want &gt; on my pdf's.
>
> # add this to Common.pm
> use HTML::Entities ();
> sub pkit_message {
>    my $model =3D shift;
>    # propably do different escape for different content_types html/
> xml/wml/pdf
>    # whatever
>    $_[0] =3D HTML::Entities::encode_entities( $_[0] );
>    $model->SUPER::pkit_message(@_);
> }
>
> If this is fine for all, I suggest to include a always html escape
> solution in the next pkit release. And everyone can go back to the
> old behavior by removing pkit_messages from Common.pm.
>
> What do you think?
>
>
> Am 06.01.2006 um 16:48 schrieb Shimon Rura:
>
> > Hi pagekit users,
> >
> > A user of my pagekit app suggested there might be a cross-site
> > scripting vulnerability.  The vulnerability is in using the
> > pkit_messages input parameter, which triggers display of a
> > message.  The problem is that:
> >
> > 1. messages are displayed without escaping, so I could put a <b> or
> > even a <script> tag into a message; and
> >
> > 2. pkit_messages is an input parameter, so one could set the
> > message when linking to my pagekit site from another site.
> >
> > That means someone could link to my site and display a message that
> > contains a <script> tag.  They could link to my login form, but add
> > an onsubmit handler to the form that sends user logins and
> > passwords to their server before logging the user into my site.
> > That would be bad.
> >
> > Using HTML::Template, messages are rendered using special pagekit
> > tags, e.g.:
> >
> > <PKIT_MESSAGES>
> >
> >     <p class=3D"message">
> >     <PKIT_IS_ERROR><font color=3D"<PKIT_ERRORSTR>"></PKIT_IS_ERROR>
> >     &#149; <PKIT_MESSAGE>
> >     <PKIT_IS_ERROR></font></PKIT_IS_ERROR>
> >     </p>
> >
> > </PKIT_MESSAGES>
> >
> >
> > The PKIT_MESSAGE tag doesn't accept the ESCAPE=3D"HTML" parameter
> > like MODEL_VAR does.  However I was able to add HTML escaping by
> > changing line 66 in Apache/PageKit/View.pm from:
> >
> >                                MESSAGE      =3D> '<TMPL_VAR
> > NAME=3D"PKIT_MESSAGE">',
> > to
> >                                MESSAGE      =3D> '<TMPL_VAR
> > NAME=3D"PKIT_MESSAGE" ESCAPE=3D"HTML">',
> >
> > Am I right that there is a vulnerabillity?  Is this a useful fix?
> >
> > Thank you,
> > Shimon Rura
>
> --
> Boris
>
>
>
>