SourceForge has been redesigned. Learn more.
Close

#74 Cross-site scripting vulnerability fix

closed-fixed
5
2002-03-21
2002-02-06
Taku YASUI
No

slashcode 2.2.x has Cross-site scripting vulnerability
on newuserform. please fix this security problem and
release new version.

--- users.pl Wed Jan 30 13:40:58 2002
+++ users.pl.new Wed Jan 30 13:38:41 2002
@@ -419,9 +419,12 @@
if ($uid =
$slashdb->createUser($matchname, $form->{email},
$form->{newusernick})) {

$title = getTitle('newUser_title');
+ $form->{email} =~ s/[<">]//g;

$form->{pubkey} =
strip_nohtml($form->{pubkey}, 1);
print getMessage('newuser_msg', {
+ email => $form->{email},
+ newusernick =>
$form->{newusernick},
suadmin_flag =>
$suadmin_flag,
title => $title,
uid => $uid });

--- messages;users;default Wed Jan 30 13:42:47 2002
+++ messages;users;default.new Wed Jan 30 13:43:57 2002
@@ -31,14 +31,14 @@

[% CASE 'newuser_msg' %]
[% PROCESS titlebar title=title width="100%" %]
- <B>email</B>=[% form.email %]<BR>
+ <B>email</B>=[% email %]<BR>
<B>user id</B>=[% uid %]<BR>
- <B>nick</B>=[% form.newusernick %]<BR>
- <B>passwd</B>=mailed to [% form.email %]<BR>
+ <B>nick</B>=[% newusernick %]<BR>
+ <B>passwd</B>=mailed to [% email %]<BR>
[% IF suadmin_flag %]
<P>Now you can edit the newly created user
<A HREF="[% constants.rootdir
%]/users.pl?op=userinfo&userfield=[% uid %]">
- [% form.newusernick %], UID [% uid
%]</A></P>
+ [% newusernick %], UID [% uid %]</A></P>
[% ELSE %]
<P>Once you receive your password, you can log
in and
<A HREF="[% constants.rootdir %]/users.pl">set
your account up</A>

Discussion

  • Jamie McCarthy

    Jamie McCarthy - 2002-02-06
    • assigned_to: nobody --> jamiemccarthy
    • status: open --> open-fixed
     
  • Jamie McCarthy

    Jamie McCarthy - 2002-02-06

    Logged In: YES
    user_id=3889

    Thank you for submitting this information; we appreciate both your discovery of it, and your helping us out.

    This is a bug, but not a vulnerability, as there is no exploit. It may be possible for a logged-in user to send his or her own cookie to a website of his or her choice, by cleverly concocting an email address with quote and angle bracket. But the user had to have his or her own cookie already, to be logged-in, so there is no new information revealed, and no escalation of privileges.

    We committed a fix of this to the 2.3.x CVS branch on Jan. 30. We preferred to fix it entirely in messages;users;default -- we don't see a need to patch users.pl, as ensuring validity of email addresses is a tricky business and there are always people who want to use weird but legal characters:

    http://cvs.slashcode.com/index.cgi/slash/themes/slashcode/templates/messages;users;default.diff?r1=1.6&r2=1.7

    We will fold this patch into our next release on the 2.2.x tree, but since there is no exploit, we don't feel it necessary to release a new version of 2.2.x at this time.

    Again, thanks for finding this.

     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-21
    • status: open-fixed --> closed-fixed
     

Log in to post a comment.