Re: [Phpwiki-talk] new wikinames and javascript vulnerability

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 3 Jun 2000, Arno Hollosi wrote:

> the new name linking scheme is vulnerable to attack.
> The exploit goes something like this:
> 
> external links:
> [external | javascript:alert('you are hacked')]
> 
> internal links:
> [internal: <script language=javascript>alert('bad stuff happens');</script>]
> 
> The javascript is executed both times.
> This opens the doors to Javascript exploits never ending.
> (Actually internal links allow to include arbitrary HTML)

Great catch, Arno. I tried out a couple other Wiki clones to see how they
behave and this attack did not work. I'm not at all ashamed that I
introduced such a wide hole, since it was a half-day's hacking to add the
new linking scheme :-)

Anyway, I was thinking how to solve this; and it hits the deeper issue of,
"What is the best linking scheme?" It's one that best serves the users, of
course.

One thing I don't like about it is having to use url-encoded page names:

http://www.somewiki.com/wiki/index.php3?this%20is%20a%20page%20name

It's ugly and unreadable. It's also unmemorable, which might even be
worse. A great thing about the old linking scheme is that it's so easy to
remember them:

http://c2.com/cgi-bin/wiki?LordOfTheFlies

Very effective.

I also have reservations about allowing named URL's (i.e. 
[some link name| http://www.foo.com/] ) because Wiki pages and external
pages look the same... I like the fact that they are clearly
distinguished under the old linking scheme.

Anyways, I think a simple approach is to write out all the kinds of links
we want to allow and then only allow those that fit the pattern. For
example,

[A PhpWiki page]

[an ftp link | ftp://ftp.redhat.com/pub/]

[a news link | news://secnews.netscape.com/]

[a web link | http://www.nytimes.com/]

[a mailto | mailto:sw...@pa...]

The Wiki does this already under the old linking scheme. It shouldn't be
hard to make sure it's universal.

> While I favour the approach to limit the charset allowed within '[]',
> I guess we can get by with the following fix:
> left of '|': encode text with htmlspecialchars()
> (same goes for names in RecentChanges)
> right of '|': forbid links starting with 'script' or 'java'

Right, in fact there are only six or so allowable patterns on the right
side (http, ftp, news, mailto, gopher, telnet, etc.)

> While poking around I discovered that the $magic_quotes_gpc=1 bug
> seems to be back (this time for page names) - not sure if this is
> also true when using mySQL.

That's odd. Maybe Sourceforge has it enabled? Or is the bug on your local
machine?

sw

...............................ooo0000ooo.................................
   Hear FM quality freeform radio through the Internet: http://wcsb.org/
                     home page: www.wcsb.org/~swain 