That is one case, but I think there are others. I don't think that an ERXWOForm fix is going to get them all.
On Jul 12, 2011, at 5:23 PM, Ramsey Gurley wrote: > That's my main concern. It is happening on every ERXRequest. I'd rather not > waste the cycles if it can be handled in one method on ERXWOForm. Given the > info I have now, I'd be inclined to change the boolean arg at line 251 on > ERXWOForm and mark it fixed. Are there any other examples related to this > issue that you are aware of? > > Ramsey > > On Jul 12, 2011, at 5:05 PM, Simon wrote: > >> nice one! yeah, that works. whacks in a new text field into your page >> and gives it focus :-) >> >> https://secure.kagi.com/cgi-bin/WebObjects/PQ?wosid=3D%22%3E%3Cinput%20onfocus=write(1)%20autofocus%3E >> >> the wosid parameter in a webobjects url is a gaping backdoor for cross >> site scripting (whether you are storing session id's in urls or not). >> the patch we are running in ERXRequest checks for a wosid parameter >> coming in on every request and makes sure it contains no dodgy looking >> characters. if it finds them, it throws the whole session key away. >> it's kinda like what mike suggested, but allows you to support >> non-cookie sessions. >> >> simon >> >> On 13 July 2011 00:01, Ramsey Gurley <rgur...@smarthealth.com> wrote: >>> That's two votes for owasp it seems.... How does it handle new techniques >>> introduced by html5? Will it catch stuff like: >>> >>> <input onfocus=write(1) autofocus> >>> >>> Found a rather large list of these at html5sec.org >>> >>> Ramsey >>> >>> On Jul 12, 2011, at 5:05 AM, Josef Burzler wrote: >>> >>>> WO-Applications are indeed vulnerable to cross-site-scripting if end-users >>>> are allowed to submit HTML. >>>> An example would be an Online-HTML-editor which allows users to edit >>>> formatted text in their browsers. >>>> >>>> In order to remove unwanted and malicious code from the submitted HTML and >>>> avoid cross-site-Scripting issues one has to filter the submitted content >>>> on server side. >>>> For this task I have found AntiSamy to be a useful solution >>>> https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project >>>> >>>> Josef >>>> >>>> >>>> Am 12.07.2011 um 09:36 schrieb Simon: >>>> >>>>> i think core WO is still plagued with the wosid cross-scripting issue >>>>> too. we patch it in ERXRequest - not sure if the patch ever made it into >>>>> wonder though... >>>>> >>>>> simon >>>>> >>>>> >>>>> On 12 July 2011 02:43, Mike Schrag <msch...@pobox.com> wrote: >>>>> You have to be mindful of ever rendering any tainted strings ... Any >>>>> string that came from user input should be considered a risk for cross >>>>> site scripting, so that's any field editable by a user, or any query >>>>> parameter, etc. If you append those strings to response or <WOString> >>>>> render them, make sure to escape HTML or strip HTML. >>>>> >>>>> ms >>>>> >>>>> On Jul 11, 2011, at 9:41 PM, Mai Nguyen wrote: >>>>> >>>>>> Do you mean the issue of malicious HTML tags? >>>>>> >>>>>> I wonder what would be the best way to prevent those? >>>>>> >>>>>> thanks, >>>>>> >>>>>> mai >>>>>> >>>>>> >>>>>> On Jul 11, 2011, at 6:36 PM, George Domurot wrote: >>>>>> >>>>>>> If you output strings with escapeHTML=false, you could have an issue. >>>>>>> You may want to consider stripping all potential tags from strings >>>>>>> prior to rendering, or at the time of entry. >>>>>>> >>>>>>> -G >>>>>>> >>>>>>> On Jul 11, 2011, at 6:01 PM, Mai Nguyen wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> I have found some good information about WebObjects and security at >>>>>>>> the following wiki link: >>>>>>>> >>>>>>>> http://en.wikibooks.org/wiki/WebObjects/Web_Applications/Development/Authentication_and_Security >>>>>>>> >>>>>>>> However, there is no mention about SQL injections which seems to be an >>>>>>>> active subject lately. Is WebObjects pretty safe, as there is no need >>>>>>>> to generate SQL directly and access to the DB is going through the EOs >>>>>>>> normally? >>>>>>>> Are there any other loopholes that I am not aware of? >>>>>>>> About the following article: >>>>>>>> http://support.apple.com/kb/TA26730?viewlocale=en_US >>>>>>>> Would the normal WebObjects behavior be pretty safe if one does not >>>>>>>> allow the user to enter HTML tags? Does Project Wonder do something in >>>>>>>> this area? >>>>>>>> >>>>>>>> Many thanks for your advice, >>>>>>>> >>>>>>>> -mai _______________________________________________ >>>>>>>> Do not post admin requests to the list. They will be ignored. >>>>>>>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >>>>>>>> Help/Unsubscribe/Update your Subscription: >>>>>>>> http://lists.apple.com/mailman/options/webobjects-dev/george%40boxofficetickets.com >>>>>>>> >>>>>>>> This email sent to geo...@boxofficetickets.com >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Do not post admin requests to the list. They will be ignored. >>>>>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >>>>>> Help/Unsubscribe/Update your Subscription: >>>>>> http://lists.apple.com/mailman/options/webobjects-dev/mschrag%40pobox.com >>>>>> >>>>>> This email sent to msch...@pobox.com >>>>> >>>>> _______________________________________________ >>>>> Do not post admin requests to the list. They will be ignored. >>>>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >>>>> Help/Unsubscribe/Update your Subscription: >>>>> http://lists.apple.com/mailman/options/webobjects-dev/simon%40potwells.co.uk >>>>> >>>>> This email sent to si...@potwells.co.uk >>>>> >>>>> _______________________________________________ >>>>> Do not post admin requests to the list. They will be ignored. >>>>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >>>>> Help/Unsubscribe/Update your Subscription: >>>>> http://lists.apple.com/mailman/options/webobjects-dev/jmb-dev%40burzler.eu >>>>> >>>>> This email sent to jmb-...@burzler.eu >>>> >>>> -- >>>> Dr. Josef Burzler >>>> >>>> Phone +49-(0)941-69 84 84-37 >>>> j.burz...@selbstdenker.ag >>>> >>>> =================================== >>>> >>>> SELBSTDENKER AG - No Vision Too Far >>>> >>>> Gesandtenstraße 10 >>>> 93047 Regensburg >>>> Phone +49-(0)941-69 84 84-0 >>>> Fax +49-(0)941-69 84 84-99 >>>> >>>> b...@selbstdenker.ag >>>> http://www.selbstdenker.ag >>>> >>>> Niederlassung: Regensburg >>>> Handelsregister: Regensburg HRB 7860 >>>> Vorstand/CEO: Herr Stephan Fürnrohr >>>> Vors. des Aufsichtsrates/Chairman of the board: >>>> Herr Dipl. Betriebswirt (FH) Richard Sibinger >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Do not post admin requests to the list. They will be ignored. >>>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >>>> Help/Unsubscribe/Update your Subscription: >>>> http://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com >>>> >>>> This email sent to rgur...@smarthealth.com >>> >>> _______________________________________________ >>> Do not post admin requests to the list. They will be ignored. >>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >>> Help/Unsubscribe/Update your Subscription: >>> http://lists.apple.com/mailman/options/webobjects-dev/simon%40potwells.co.uk >>> >>> This email sent to si...@potwells.co.uk >>> > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/chill%40global-village.net > > This email sent to ch...@global-village.net -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com