Vulnerabiliy to cross-site scripting attacks
Virtual Research Environment / On-line Bibliography Manager
Brought to you by:
sirfragalot
Hi Mark and Stéphane,
the Dorkbot of the UT Austin has discovered a new script vulnerability. In short, when launching the URL https://www.bobc.uni-bonn.de/index.php?browserTabID=%22%3E%3Cimg+src%3Dxyz+onerror%3Dalert%28150%29%3E
manipulates the database URL permanently, that means you've always the part ="><img+src%3Dxyz+onerror%3Dalert(150)>
at the end after the normal URL, even when clicking around.
The Dorkbot means that This page is vulnerable to Cross-site scripting attacks.
The CFB style is fine, thanks, Mark. I'm a little bit unresponsive in the last time because I'm ill.
Best wishes
Joachim
News: 2024/04/wikindx-v690-release-candidate-1
News: 2024/04/wikindx-v690
Thanks Joachim,
We'll look into it asap.
Regards and I wish you a speedy recovery,
Mark
Hi Mark,
Please give me a real example of a browserTabID token.
Regards,
Hi Stéphane,
Here you go:
browserTabID=007fc6f2-c192-4e1b-8907-eec1d3477b3a
Mark
Thanks. To prevent a hack you need to add a check of the format of the token received from the browser matching uuidv4(), and reject a token not well formed.
I guess it is easy enough to implement with something like:
I'll see if I can find time today to do it.
Worthy of a new release?
Mark
Yes, this is one of the objectives of the new system. Patch security vulnerabilities quickly.
Given the few modifications made since 6.8.2. we could also release 6.9.0 if nothing is broken.
Bug fixed. Let's release 6.9.0.
Mark
This evening, if I can, I will finish the translations with DeepL and release.
We agree, it's an RC?
Hi Mark,
could you please give me a patch to fix my production server? My uni is getting nervous …
Best
Joachim
Hi Joachim,
We released version 6.9.0-rc1 last night that you can use immediately.
Regards,
Hi Joachim,
In core/startup/BROWSERTABID.php, the final else{} conditional should look like this:
I can't give you the precise lines because the current RC has some other changes in that file. But the important part is the checking of the validity of $id:
That should do it for you until we finalize the RC.
Regards,
Mark
I didn't see Stéphane's post but, yes, use the RC released last night.
Mark