Menu
▾
▴
[Phpwiki-talk] new wikinames and javascript vulnerability
|
From: Arno H. <aho...@in...> - 2000-06-03 08:00:40
|
Hi there,
the new name linking scheme is vulnerable to attack.
The exploit goes something like this:
external links:
[external | javascript:alert('you are hacked')]
internal links:
[internal: <script language=javascript>alert('bad stuff happens');</script>]
The javascript is executed both times.
This opens the doors to Javascript exploits never ending.
(Actually internal links allow to include arbitrary HTML)
While I favour the approach to limit the charset allowed within '[]',
I guess we can get by with the following fix:
left of '|': encode text with htmlspecialchars()
(same goes for names in RecentChanges)
right of '|': forbid links starting with 'script' or 'java'
I will look further into the issue and tell you with
what I can come up.
While poking around I discovered that the $magic_quotes_gpc=1 bug
seems to be back (this time for page names) - not sure if this is
also true when using mySQL.
/Arno
P.S: be careful when replying to the list.
Apparently the "Reply-To:" header is not set, so a simple
reply just goes to the author and not to the list.
Steve, can this be changed in the list settings?
|
