#680 Vulnerabiliy to cross-site scripting attacks

[Joachim]

Hi Mark and Stéphane,

the Dorkbot of the UT Austin has discovered a new script vulnerability. In short, when launching the URL https://www.bobc.uni-bonn.de/index.php?browserTabID=%22%3E%3Cimg+src%3Dxyz+onerror%3Dalert%28150%29%3E manipulates the database URL permanently, that means you've always the part ="><img+src%3Dxyz+onerror%3Dalert(150)> at the end after the normal URL, even when clicking around.

The Dorkbot means that This page is vulnerable to Cross-site scripting attacks.

The CFB style is fine, thanks, Mark. I'm a little bit unresponsive in the last time because I'm ill.

Best wishes

Joachim

[Mark Grimshaw]

Thanks Joachim,

We'll look into it asap.

Regards and I wish you a speedy recovery,

Mark

[Stéphane Aulery]

Hi Mark,

Please give me a real example of a browserTabID token.

Regards,

[Mark Grimshaw]

Hi Stéphane,

Here you go:
browserTabID=007fc6f2-c192-4e1b-8907-eec1d3477b3a

Mark

[Stéphane Aulery]

Thanks. To prevent a hack you need to add a check of the format of the token received from the browser matching uuidv4(), and reject a token not well formed.

[Mark Grimshaw]

I guess it is easy enough to implement with something like:

if (!is_string($uuid) || (preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/', $uuid) !== 1)) {
    return false;
}

I'll see if I can find time today to do it.

Worthy of a new release?

Mark

[Stéphane Aulery]

Yes, this is one of the objectives of the new system. Patch security vulnerabilities quickly.

Given the few modifications made since 6.8.2. we could also release 6.9.0 if nothing is broken.

[Mark Grimshaw]

Bug fixed. Let's release 6.9.0.

Mark

[Stéphane Aulery]

This evening, if I can, I will finish the translations with DeepL and release.

[Stéphane Aulery]

We agree, it's an RC?

[Joachim]

Hi Mark,

could you please give me a patch to fix my production server? My uni is getting nervous …

Best
Joachim

[Stéphane Aulery]

Hi Joachim,

We released version 6.9.0-rc1 last night that you can use immediately.

Regards,

[Mark Grimshaw]

Hi Joachim,

In core/startup/BROWSERTABID.php, the final else{} conditional should look like this:

            else
            {
                // go into gatekeeper to check if browserTabID is unique to the tab (perhaps user has opened link with browserTabID in a new tab/window)
                $id = $this->vars['browserTabID'];
        // Check validity of $id
                if (!is_string($id) || (preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/', $id) !== 1)) {
                    return;
                }
                $gatewayString = 'getBrowserTabID("' . $url . '", "' . $qs . '", "' . $id . '")';
                GLOBALS::setBrowserTabID($id);
            }

I can't give you the precise lines because the current RC has some other changes in that file. But the important part is the checking of the validity of $id:

        // Check validity of $id
                if (!is_string($id) || (preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/', $id) !== 1)) {
                    return;
                }

That should do it for you until we finalize the RC.

Regards,

Mark

[Mark Grimshaw]

I didn't see Stéphane's post but, yes, use the RC released last night.

Mark