#2336: possible security hole in default error handler
----------------------------------+-----------------------------------------
Reporter: diefans | Owner:
Type: defect | Status: new
Priority: highest | Milestone: 2.0
Component: TurboGears | Version: 2.0
Severity: critical | Resolution:
Keywords: javascript injection |
----------------------------------+-----------------------------------------
Comment (by diefans):
lets say you have an application where you serve files and when a wrong
file id is requested you serve an 404 error by calling:
{{{
raise HTTPNotFound
}}}
on that page you can append a message parameter like
{{{
http://localhost:8080/file?id=invalid&message=%3Cscript%20type=%22text/javascript%22%3Ealert(%27test%27)%3C/script%3E
}}}
this is my error document method as it was created by quickstart. As you
can see the URL parameter "message" is forwarded to the template as it is:
{{{
def document(self, *args, **kwargs):
"""Render the error document"""
resp = request.environ.get('pylons.original_response')
default_message = ("<p>We're sorry but we weren't able to process
"
" this request.</p>")
values = dict(prefix=request.environ.get('SCRIPT_NAME', ''),
code=request.params.get('code', resp.status_int),
message=str(request.params.get('message',
default_message)))
return values
}}}
this is the error template as it was created by quickstart:
{{{
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";
xmlns:py="http://genshi.edgewall.org/";
xmlns:xi="http://www.w3.org/2001/XInclude";>
<xi:include href="master.html" />
<head>
<meta content="text/html; charset=UTF-8" http-equiv="content-type"
py:replace="''"/>
<title>A ${code} Error has Occurred </title>
</head>
<body>
<h1>Error ${code}</h1>
<div>${XML(message)}</div>
</body>
</html>
}}}
the relevant part is:
{{{
<div>${XML(message)}</div>
}}}
which means, that everything in message is considered to be valid XML and
is inserted that way. At the end you have the following code in your error
page:
{{{
<div id="content">
<h1>Error 404</h1>
<div><script type="text/javascript">alert('test')</script></div>
<div class="clearingdiv"></div>
<!-- End of content -->
</div>
}}}
it's a security hole, because unplanned and unwanted events may occur on
that Page...
--
Ticket URL: <http://trac.turbogears.org/ticket/2336#comment:3>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
