Re: [Phpwiki-talk] new wikinames and javascript vulnerability

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Yes, the list can be configured so hitting "reply" sends to the list
instead of the author, but the Sourceforge documentation strongly
recommends against this (they don't say why though). I'm used to this with
other lists I'm on so I assumed it was for a good reason.

Wikic and the Tcl'ers Wiki both use the [] linking scheme. I wonder if
they are vulnerable too?

sw

On Sat, 3 Jun 2000, Arno Hollosi wrote:

> 
> Hi there,
> 
> the new name linking scheme is vulnerable to attack.
> The exploit goes something like this:
> 
> external links:
> [external | javascript:alert('you are hacked')]
> 
> internal links:
> [internal: <script language=javascript>alert('bad stuff happens');</script>]
> 
> The javascript is executed both times.
> This opens the doors to Javascript exploits never ending.
> (Actually internal links allow to include arbitrary HTML)
> 
> While I favour the approach to limit the charset allowed within '[]',
> I guess we can get by with the following fix:
> left of '|': encode text with htmlspecialchars()
> (same goes for names in RecentChanges)
> right of '|': forbid links starting with 'script' or 'java'
> 
> I will look further into the issue and tell you with
> what I can come up.
> 
> While poking around I discovered that the $magic_quotes_gpc=1 bug
> seems to be back (this time for page names) - not sure if this is
> also true when using mySQL.
> 
> 
> /Arno
> 
> P.S: be careful when replying to the list.
> Apparently the "Reply-To:" header is not set, so a simple
> reply just goes to the author and not to the list.
> 
> Steve, can this be changed in the list settings?
> 
> _______________________________________________
> Phpwiki-talk mailing list
> Php...@li...
> http://lists.sourceforge.net/mailman/listinfo/phpwiki-talk
> 

...............................ooo0000ooo.................................
   Hear FM quality freeform radio through the Internet: http://wcsb.org/
                     home page: www.wcsb.org/~swain 