[ic] Standard demo: prevent XSS on forum submission

Stefan Hornburg (Racke) racke at linuxia.de
Tue Nov 24 21:14:39 UTC 2009 

Josh Lavin wrote:
> The mv_arg parameter is not filtered when output in the page during 
> forum comment submission and replies, which can allow cross-site 
> scripting to be used.
> 
> http://github.com/jlavin/interchange/commit/1abf12d5332b57d50843198ab9b159778c491297 
> 
> 
> 
> --- a/dist/standard/include/forum/reply_form
> +++ b/dist/standard/include/forum/reply_form
> @@ -1,4 +1,4 @@
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
>  <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
>  <input type=hidden name=artid VALUE="[loop-data forum artid]">
>  <input type=hidden name=parent VALUE="[loop-code]">
> 
> --- a/dist/standard/include/forum/submit_form
> +++ b/dist/standard/include/forum/submit_form
> @@ -4,7 +4,7 @@
>         return;
>  [/calc]
>  [/if]
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
>  <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
>  <input TYPE="HIDDEN" NAME="artid" VALUE="[loop-data forum artid]">
>  <input TYPE="HIDDEN" NAME="parent" VALUE="[loop-code]">
> 

There are more files affected. A quick grep shows more suspects (not all of them are subject to XSS exploits):

dist/lib/UI/pages/admin/upload_file.html:[if-mm function="!files" name="[data session arg]"]
dist/lib/UI/pages/admin/upload_file.html:[seti ui_error][msg arg.0="[data session arg]"]Not authorized to upload file %s.[/msg][/seti]
dist/lib/UI/pages/admin/upload_file.html:	[msg arg.0="[data session arg]"]Uploading file <b>%s</B>[/msg]
dist/lib/UI/pages/admin/upload_file.html:	<INPUT type=hidden NAME=ui_upload_fn VALUE="[data session arg]">
dist/lib/UI/pages/admin/upload_file.html:	[msg arg.0="[data session arg]"]Uploading file to <b>%s</B>[/msg]
dist/lib/UI/pages/admin/upload_file.html:	<INPUT type=hidden NAME=ui_upload_fn VALUE="[data session arg]">
dist/lib/UI/pages/admin/upload_file.html:		<INPUT NAME=ui_upload_fn type=hidden VALUE="[data session arg]">
dist/lib/UI/pages/admin/page_upload.html:[cgi name=page set="[data session arg]"]
dist/lib/UI/pages/admin/quicklinks.html:[seti win][data session arg][/seti]
dist/features/quickpoll/templates/components/quickpoll:	<input type=hidden name="mv_arg" value="[data session arg]">
dist/standard/pages/flypage.html:		[description code="[data session arg]"]
dist/standard/pages/flypage.html:[fly-list code="[data session arg]"]
dist/standard/pages/query/order_return.html:	[seti arg][data session arg][/seti]
dist/standard/pages/query/order_detail.html:[loop list="[data session arg]"]
dist/standard/pages/member/delete_addresses.html:	[userdb function=delete_shipping nickname="[data session arg]"]
dist/standard/pages/survey/graph.png.html:[survey-graph item_id="[data session arg]" notitle="[cgi notitle]" show_num=1 show_percent=1 cycle_clrs=1]
dist/standard/pages/function/stock_alert.html:	[seti code][data session arg][/seti]
dist/standard/pages/function/stock_alert_added.html:  [seti code][data session arg][/seti]
dist/standard/pages/quantity.html:[fly-list code="[data session arg]"]
dist/standard/pages/quantity.html:[loop prefix="part" list="[data session arg]"]
dist/standard/pages/forum/display.html:Forum thread: [data table=forum col=subject key="[data session arg]"]
dist/standard/pages/forum/display.html:[if type=data term="products::sku::[data session arg]"]
dist/standard/pages/forum/display.html:	[bounce page="[data session arg]"]
dist/standard/pages/forum/display.html:	top="[data session arg]"
dist/standard/pages/forum/reply.html:[tmp page_title]Reply to [data table=forum col=subject key="[data session arg]"][/tmp]
dist/standard/pages/forum/reply.html:	[if type=!data term="forum:code:[data session arg]"]
dist/standard/pages/forum/reply.html:	[loop list="[data session arg]" prefix=item]
dist/standard/include/forum/submit_form:[loop list="[data session arg]"]
dist/standard/include/forum/reply_form:[loop list="[data session arg]"]
dist/test/pages/oldtest.html:arg: [data arg]=[data session arg] -- [page @@MV_PAGE@@ SUCCESS]this link to test</a><BR>
dist/test/pages/test_specific.html:[loop list="[data session arg]"][harness name="[loop-code]"][expected][loop-data tests expected][/expected][not][loop-data tests no_expect][/not][loop-data tests input][/harness]
dist/test/pages/quantity.html:[loop list="[data session arg]"]
eg/news_feature/pages/news.html:	se=[data session arg]

Regards
          Racke


-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

More information about the interchange-users mailing list