[tg-tickets] Re: [TurboGears] #2336: possible security hole in default error handler

Fri, 19 Jun 2009 17:48:31 -0700 

#2336: possible security hole in default error handler
----------------------------------+-----------------------------------------
 Reporter:  diefans               |        Owner:     
     Type:  defect                |       Status:  new
 Priority:  highest               |    Milestone:  2.0
Component:  TurboGears            |      Version:  2.0
 Severity:  critical              |   Resolution:     
 Keywords:  javascript injection  |  
----------------------------------+-----------------------------------------
Changes (by jorge.vargas):

  * version:  2.0b7 => 2.0
  * milestone:  => 2.0

Old description:

> Hello,
>
> It is possible to inject executable Javascript-Code into an error page
> generated by the default ErrorController.document method.
> Just put the code into the message URL parameter.
>
> This is because:
> 1. the error handler uses manipulatable request parameters
> 2. the template shows those possible manipulated parameters as XML and
> not as escaped HTML/XML (IMHO quite irresponsible)
>
> Since the error handling will be the last point where developers put
> attention to, even some will ignore it completely or use these defaults,
> this could be a sleeping vulnerablity to many of them.

New description:

 Hello,

 It is possible to inject executable Javascript-Code into an error page
 generated by the default ErrorController.document method.
 Just put the code into the message URL parameter.

 This is because:
  1. the error handler uses manipulatable request parameters
  2. the template shows those possible manipulated parameters as XML and
 not as escaped HTML/XML (IMHO quite irresponsible)

 Since the error handling will be the last point where developers put
 attention to, even some will ignore it completely or use these defaults,
 this could be a sleeping vulnerablity to many of them.

Comment:

 I'm not entirely sure this is accurate. Will ask a genshi expert.

-- 
Ticket URL: <http://trac.turbogears.org/ticket/2336#comment:1>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to