Overview
Artifact ID: | f894b6cdcb18147f155c877cee44162775236e3e |
---|---|
Ticket: | 09110adc430de8c91d26015f9697cdd099755e63
Cross-Site-Scripting (XSS) in html::textarea |
User & Date: | anonymous 2015-01-28 15:08:29 |
Changes
- assignee changed to: "nobody"
- closer changed to: "nobody"
- cmimetype changed to: "text/plain"
- comment changed to:
Overview: Applications using tcllib's ::html::textarea functions are vulnerable to Cross-Site-Scripting. This function is usually used to programmatically add an HTML <textarea> to the output stream of a CGI script. No publicly available software has been found to be vulnerable. However it is suspected that many non-public Tcl web applications using the ::html::textarea function are in operation. Details: User supplied input is directly inserted into the <textarea> as default value, e.g. a textarea named 'ta' with a parameter of ta=XXX results in `<textarea>XXX</textarea>` This can be used to break out of the <textarea>-context and insert arbitrary HTML content such as <script>-Tags. The attack is possible using HTTP GET requests as well as POST and multipart form encoded POST requests. Code: modules/html/html.tcl (http://core.tcl.tk/tcllib/artifact/9a43f5efda2b74a5e61b60f261afdaf9ce1f1221) lines 914-919 proc ::html::textarea {name {param {}} {current {}}} { ::set value [ncgi::value $name $current] return "<[string trimright \ "textarea name=\"$name\"\ [tagParam textarea $param]"]>$value</textarea>\n" } Proof of Concept: test.cgi #!/usr/bin/env tclsh package require ncgi package require html ::ncgi::parse ::ncgi::header puts [::html::textarea ta] http://example.com/test.cgi?ta=%3C/textarea%3E%3Cscript%3Ealert%281%29%3C%2fs cript%3E Recommendation: The input value should be properly HTML-escaped. In the meantime, a quick application level bugfix would be to encode the input variable in question manually. Example with 'ta' as name: set ::ncgi::value(ta) [::html::quoteFormValue [::ncgi::value ta {}]]
- foundin changed to: "all"
- is_private changed to: "0"
- login: "anonymous"
- priority changed to: "5 Medium"
- private_contact changed to: "37918056d323dc69a2f76cecc85476189094f3b8"
- resolution changed to: "None"
- severity changed to: "Important"
- status changed to: "Open"
- submitter changed to: "anonymous"
- subsystem changed to: "html"
- title changed to: "Cross-Site-Scripting (XSS) in html::textarea"
- type changed to: "Bug"