From: Steve W. <sw...@wc...> - 2000-06-03 22:31:19
|
On Sat, 3 Jun 2000, Arno Hollosi wrote: > the new name linking scheme is vulnerable to attack. > The exploit goes something like this: > > external links: > [external | javascript:alert('you are hacked')] > > internal links: > [internal: <script language=javascript>alert('bad stuff happens');</script>] > > The javascript is executed both times. > This opens the doors to Javascript exploits never ending. > (Actually internal links allow to include arbitrary HTML) Great catch, Arno. I tried out a couple other Wiki clones to see how they behave and this attack did not work. I'm not at all ashamed that I introduced such a wide hole, since it was a half-day's hacking to add the new linking scheme :-) Anyway, I was thinking how to solve this; and it hits the deeper issue of, "What is the best linking scheme?" It's one that best serves the users, of course. One thing I don't like about it is having to use url-encoded page names: http://www.somewiki.com/wiki/index.php3?this%20is%20a%20page%20name It's ugly and unreadable. It's also unmemorable, which might even be worse. A great thing about the old linking scheme is that it's so easy to remember them: http://c2.com/cgi-bin/wiki?LordOfTheFlies Very effective. I also have reservations about allowing named URL's (i.e. [some link name| http://www.foo.com/] ) because Wiki pages and external pages look the same... I like the fact that they are clearly distinguished under the old linking scheme. Anyways, I think a simple approach is to write out all the kinds of links we want to allow and then only allow those that fit the pattern. For example, [A PhpWiki page] [an ftp link | ftp://ftp.redhat.com/pub/] [a news link | news://secnews.netscape.com/] [a web link | http://www.nytimes.com/] [a mailto | mailto:sw...@pa...] The Wiki does this already under the old linking scheme. It shouldn't be hard to make sure it's universal. > While I favour the approach to limit the charset allowed within '[]', > I guess we can get by with the following fix: > left of '|': encode text with htmlspecialchars() > (same goes for names in RecentChanges) > right of '|': forbid links starting with 'script' or 'java' Right, in fact there are only six or so allowable patterns on the right side (http, ftp, news, mailto, gopher, telnet, etc.) > While poking around I discovered that the $magic_quotes_gpc=1 bug > seems to be back (this time for page names) - not sure if this is > also true when using mySQL. That's odd. Maybe Sourceforge has it enabled? Or is the bug on your local machine? sw ...............................ooo0000ooo................................. Hear FM quality freeform radio through the Internet: http://wcsb.org/ home page: www.wcsb.org/~swain |