#2336: possible security hole in default error handler
------------------------+---------------------------------------------------
Reporter: diefans | Owner:
Type: defect | Status: new
Priority: highest | Milestone:
Component: TurboGears | Version: 2.0b7
Severity: critical | Keywords: javascript injection
------------------------+---------------------------------------------------
Hello,
It is possible to inject executable Javascript-Code into an error page
generated by the default ErrorController.document method.
Just put the code into the message URL parameter.
This is because:
1. the error handler uses manipulatable request parameters
2. the template shows those possible manipulated parameters as XML and not
as escaped HTML/XML (IMHO quite irresponsible)
Since the error handling will be the last point where developers put
attention to, even some will ignore it completely or use these defaults,
this could be a sleeping vulnerablity to many of them.
--
Ticket URL: <http://trac.turbogears.org/ticket/2336>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
