Ticket UUID: | 09110adc430de8c91d26015f9697cdd099755e63 | |||
Title: | Cross-Site-Scripting (XSS) in html::textarea | |||
Type: | Bug | Version: | all | |
Submitter: | anonymous | Created on: | 2015-01-28 15:08:29 | |
Subsystem: | html | Assigned To: | aku | |
Priority: | 9 Immediate | Severity: | Critical | |
Status: | Closed | Last Modified: | 2015-02-26 19:27:28 | |
Resolution: | Fixed | Closed By: | aku | |
Closed on: | 2015-02-26 19:27:28 | |||
Description: |
Overview: Applications using tcllib's ::html::textarea functions are vulnerable to Cross-Site-Scripting. This function is usually used to programmatically add an HTML <textarea> to the output stream of a CGI script. No publicly available software has been found to be vulnerable. However it is suspected that many non-public Tcl web applications using the ::html::textarea function are in operation. Details: User supplied input is directly inserted into the <textarea> as default value, e.g. a textarea named 'ta' with a parameter of ta=XXX results in `<textarea>XXX</textarea>` This can be used to break out of the <textarea>-context and insert arbitrary HTML content such as <script>-Tags. The attack is possible using HTTP GET requests as well as POST and multipart form encoded POST requests. Code: [http://core.tcl.tk/tcllib/artifact/9a43f5efda2b74a5e61b60f261afdaf9ce1f1221?ln=914-919] Proof of Concept: test.cgi #!/usr/bin/env tclsh package require ncgi package require html ::ncgi::parse ::ncgi::header puts [::html::textarea ta] http://example.com/test.cgi?ta=%3C/textarea%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E Recommendation: The input value should be properly HTML-escaped. In the meantime, a quick application level bugfix would be to encode the input variable in question manually. Example with 'ta' as name: set ::ncgi::value(ta) [::html::quoteFormValue [::ncgi::value ta {}]] | |||
User Comments: |
aku added on 2015-02-26 19:27:28:
(text/x-fossil-wiki)
Fixed with revision [212d1feefe]. Committed. Pushed. Version bumped to 1.4.4. aku added on 2015-02-26 18:44:46: Tweaked description, replaced inlined with reference into the repository. |