|
2015-02-26
| ||
| 19:27 | • Closed ticket [09110adc43]: Cross-Site-Scripting (XSS) in html::textarea plus 6 other changes artifact: 088be66bcc user: aku | |
| 19:26 | Ticket [09110adc43] - html - Fixed XSS vulnerability of "textarea" command. Now properly quoting the input value. Package version bumped to 1.4.4. Extended the testsuite. check-in: 212d1feefe user: andreask tags: trunk | |
| 18:44 | • Ticket [09110adc43] Cross-Site-Scripting (XSS) in html::textarea status still Open with 4 other changes artifact: c21eaf64a1 user: aku | |
|
2015-02-24
| ||
| 23:24 | • Ticket [09110adc43]: 4 changes artifact: faaa80c8d6 user: aku | |
|
2015-01-28
| ||
| 18:11 | • Ticket [09110adc43]: 5 changes artifact: 472f8a7b57 user: aku | |
| 15:08 | • New ticket [09110adc43]. artifact: f894b6cdcb user: anonymous | |
| Ticket UUID: | 09110adc430de8c91d26015f9697cdd099755e63 | |||
| Title: | Cross-Site-Scripting (XSS) in html::textarea | |||
| Type: | Bug | Version: | all | |
| Submitter: | anonymous | Created on: | 2015-01-28 15:08:29 | |
| Subsystem: | html | Assigned To: | aku | |
| Priority: | 9 Immediate | Severity: | Critical | |
| Status: | Closed | Last Modified: | 2015-02-26 19:27:28 | |
| Resolution: | Fixed | Closed By: | aku | |
| Closed on: | 2015-02-26 19:27:28 | |||
| Description: |
Overview: Applications using tcllib's ::html::textarea functions are vulnerable to Cross-Site-Scripting. This function is usually used to programmatically add an HTML <textarea> to the output stream of a CGI script. No publicly available software has been found to be vulnerable. However it is suspected that many non-public Tcl web applications using the ::html::textarea function are in operation. Details: User supplied input is directly inserted into the <textarea> as default value, e.g. a textarea named 'ta' with a parameter of ta=XXX results in `<textarea>XXX</textarea>` This can be used to break out of the <textarea>-context and insert arbitrary HTML content such as <script>-Tags. The attack is possible using HTTP GET requests as well as POST and multipart form encoded POST requests. Code: [http://core.tcl.tk/tcllib/artifact/9a43f5efda2b74a5e61b60f261afdaf9ce1f1221?ln=914-919] Proof of Concept: test.cgi #!/usr/bin/env tclsh package require ncgi package require html ::ncgi::parse ::ncgi::header puts [::html::textarea ta] http://example.com/test.cgi?ta=%3C/textarea%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E Recommendation: The input value should be properly HTML-escaped. In the meantime, a quick application level bugfix would be to encode the input variable in question manually. Example with 'ta' as name: set ::ncgi::value(ta) [::html::quoteFormValue [::ncgi::value ta {}]] | |||
| User Comments: |
aku added on 2015-02-26 19:27:28:
Fixed with revision [212d1feefe]. Committed. Pushed. Version bumped to 1.4.4. aku added on 2015-02-26 18:44:46: Tweaked description, replaced inlined with reference into the repository. | |||