Tcl Library Source Code

Artifact [f894b6cdcb]
Login
Core Home Blog Docs Downloads Tickets Timeline Branches Tags Wiki
Download Hex Parsed

Artifact f894b6cdcb18147f155c877cee44162775236e3e:

Ticket change [f894b6cdcb] - New ticket [09110adc430de8c9|09110adc43] <i>Cross-Site-Scripting (XSS) in html::textarea</i>. by anonymous 2015-01-28 15:08:29. 
D 2015-01-28T15:08:29.310
J assignee nobody
J closer nobody
J cmimetype text/plain
J comment Overview:\r\n\r\n\s\s\sApplications\susing\stcllib's\s::html::textarea\sfunctions\sare\svulnerable\sto\r\n\s\s\sCross-Site-Scripting.\sThis\sfunction\sis\susually\sused\sto\sprogrammatically\sadd\r\n\s\s\san\sHTML\s<textarea>\sto\sthe\soutput\sstream\sof\sa\sCGI\sscript.\r\n\r\n\s\s\sNo\spublicly\savailable\ssoftware\shas\sbeen\sfound\sto\sbe\svulnerable.\sHowever\sit\sis\r\n\s\s\ssuspected\sthat\smany\snon-public\sTcl\sweb\sapplications\susing\sthe\r\n\s\s\s::html::textarea\sfunction\sare\sin\soperation.\r\n\r\nDetails:\r\n\r\n\s\s\sUser\ssupplied\sinput\sis\sdirectly\sinserted\sinto\sthe\s<textarea>\sas\sdefault\r\n\s\s\svalue,\se.g.\sa\stextarea\snamed\s'ta'\swith\sa\sparameter\sof\sta=XXX\sresults\sin\r\n\s\s\s`<textarea>XXX</textarea>`\r\n\r\n\s\s\sThis\scan\sbe\sused\sto\sbreak\sout\sof\sthe\s<textarea>-context\sand\sinsert\sarbitrary\r\n\s\s\sHTML\scontent\ssuch\sas\s<script>-Tags.\r\n\r\n\s\s\sThe\sattack\sis\spossible\susing\sHTTP\sGET\srequests\sas\swell\sas\sPOST\sand\smultipart\r\n\s\s\sform\sencoded\sPOST\srequests.\r\n\r\n\s\sCode:\r\n\r\n\s\s\smodules/html/html.tcl\r\n\s\s\s(http://core.tcl.tk/tcllib/artifact/9a43f5efda2b74a5e61b60f261afdaf9ce1f1221)\r\n\s\s\slines\s914-919\r\n\r\n\s\sproc\s::html::textarea\s{name\s{param\s{}}\s{current\s{}}}\s{\r\n\s\s\s\s\s\s::set\svalue\s[ncgi::value\s$name\s$current]\r\n\s\s\s\s\s\sreturn\s"<[string\strimright\s\\\r\n\s\s\t"textarea\sname=\\"$name\\"\\\r\n\s\s\t\t[tagParam\stextarea\s$param]"]>$value</textarea>\\n"\r\n\s\s}\r\n\r\nProof\sof\sConcept:\r\n\r\n\s\s\stest.cgi\r\n\r\n\s\s#!/usr/bin/env\stclsh\r\n\s\spackage\srequire\sncgi\r\n\s\spackage\srequire\shtml\r\n\s\s\r\n\s\s::ncgi::parse\r\n\s\s::ncgi::header\r\n\s\sputs\s[::html::textarea\sta]\r\n\r\n\s\s\shttp://example.com/test.cgi?ta=%3C/textarea%3E%3Cscript%3Ealert%281%29%3C%2fs\r\n\s\s\script%3E\r\n\r\nRecommendation:\r\n\r\n\s\s\sThe\sinput\svalue\sshould\sbe\sproperly\sHTML-escaped.\r\n\r\n\s\s\sIn\sthe\smeantime,\sa\squick\sapplication\slevel\sbugfix\swould\sbe\sto\sencode\sthe\r\n\s\s\sinput\svariable\sin\squestion\smanually.\sExample\swith\s'ta'\sas\sname:\r\n\r\n\s\sset\s::ncgi::value(ta)\s[::html::quoteFormValue\s[::ncgi::value\sta\s{}]]
J foundin all
J is_private 0
J login anonymous
J priority 5\sMedium
J private_contact 37918056d323dc69a2f76cecc85476189094f3b8
J resolution None
J severity Important
J status Open
J submitter anonymous
J subsystem html
J title Cross-Site-Scripting\s(XSS)\sin\shtml::textarea
J type Bug
K 09110adc430de8c91d26015f9697cdd099755e63
U anonymous
Z 8f5093217e25cba3ac7a070bfe64d034
This page was generated in about 0.008s by Fossil 2.24 [f4ffefe708] 2024-04-17 14:02:19