Recent Changes - Search:
PITS /

01114: XSS vulnerability in XLPage

Summary: XSS vulnerability in XLPage
Created: 2009-07-12 14:08
Status: Suspended - known issue
Category: Bug
From: Michael Engelke
Assigned:
Priority: 3
Version: 2.2.2
OS: Win32/Apache2.2/PHP5.2

Description: <Babelfish>

Even though I am slowly beginning to annoy, but I have another XSS vulnerability in XLPage found:
In my config.php I have an entry: XLPage('de','PmWikiDe.XLPage');
And then I just PmWikiDe.XLPage in the following entry made: 'XSS' => '<script>alert("XSS")</script>',
And yes, you can call it with: $[XSS]
This bug has been PmWiki 2.0.beta44 up to the latest version 2.2.2 available.

</Babelfish>

<German>

Auch wenn ich langsam anfange zu nerven, aber ich habe wieder eine XSS-Schwachstelle in XLPage gefunden:
In meiner config.php habe ich einen Eintrag: XLPage('de','PmWikiDe.XLPage');
Und dann habe ich einfach mal in PmWikiDe.XLPage folgenden Eintrag gemacht: 'XSS' => '<script>alert("XSS")</script>',
Und ja, aufrufen kann man es dann mit: $[XSS]
Dieser Bug ist seit PmWiki 2.0.beta44 bis zur aktuellen Version 2.2.2 vorhanden.

</German>

It is not annoying, on the contrary. I just wonder if I should cut the next 2.2.3 release or wait a couple of hours more, just in case you find another bug... :-) Thanks, again!! --Petko July 12, 2009, at 02:33 PM

Discussion

Hi, unfortunately my fix broke HTML entities in XLPage translations. I also talked with Pm who suggested to revert it. So it is back to not escaping these strings. Comments/suggestions will be welcome. --Petko July 16, 2009, at 01:23 PM

  • pmichaud: fwiw: the fact that XLPages provided some vulnerabilities was a known issue, it was something I wasn't too worried about fixing.
  • pmichaud: I.e., the solution was intended to be "make sure the XLPages are locked"
  • petko: would it hurt to str_replace < and > ?
  • petko: with &lt; and &gt;
  • pmichaud: I think yes, because some of the XLPage entries have HTML tags in them
  • petko: well, that would allow <script...
  • pmichaud: right -- as I said, it's a somewhat known vulnerability
  • pmichaud: and the answer was "lock the XLPages"
  • pmichaud: the fact that they're unlocked on pmwiki.org is really meant to indicate that I'm willing to live with the vulnerability there.
  • petko: so, I'll revert it to the previous state? I am also fine with it, I am not worried about XSS coming from XLPage
  • pmichaud: that seems easiest to me.
  • pmichaud: perhaps we should have the code that generates the i18n files automatically @lock the pages 
Array
(
    [post_max_size] => 64M
    [$_POST keys] => 
    [$_REQUEST keys] => n
    [$_SERVER] => Array
        (
            [CONTEXT_DOCUMENT_ROOT] => /home/pmwiki/public_html
            [CONTEXT_PREFIX] => 
            [DOCUMENT_ROOT] => /home/pmwiki/public_html
            [GATEWAY_INTERFACE] => CGI/1.1
            [HTTPS] => on
            [HTTP_ACCEPT] => */*
            [HTTP_ACCEPT_ENCODING] => gzip, br, zstd, deflate
            [HTTP_HOST] => www.pmwiki.org
            [HTTP_REFERER] => http://www.pmwiki.org/wiki/PITS/01114
            [HTTP_USER_AGENT] => Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
            [HTTP_X_HTTPS] => 1
            [PATH] => /bin:/usr/bin
            [PHP_INI_SCAN_DIR] => /opt/cpanel/ea-php70/root/etc:/opt/cpanel/ea-php70/root/etc/php.d:.
            [QUERY_STRING] => n=PITS%2f01114
            [REDIRECT_HTTPS] => on
            [REDIRECT_QUERY_STRING] => n=PITS%2f01114
            [REDIRECT_SCRIPT_URI] => https://www.pmwiki.org/wiki/PITS/01114
            [REDIRECT_SCRIPT_URL] => /wiki/PITS/01114
            [REDIRECT_SSL_TLS_SNI] => www.pmwiki.org
            [REDIRECT_STATUS] => 200
            [REDIRECT_UNIQUE_ID] => afLA2UJN2y3qs35RoCX_VwAAAFE
            [REDIRECT_URL] => /wiki/PITS/01114
            [REMOTE_ADDR] => 216.73.216.31
            [REMOTE_PORT] => 41317
            [REQUEST_METHOD] => GET
            [REQUEST_SCHEME] => https
            [REQUEST_URI] => /wiki/PITS/01114
            [SCRIPT_FILENAME] => /home/pmwiki/public_html/index.php
            [SCRIPT_NAME] => /index.php
            [SCRIPT_URI] => https://www.pmwiki.org/wiki/PITS/01114
            [SCRIPT_URL] => /wiki/PITS/01114
            [SERVER_ADDR] => 23.254.203.248
            [SERVER_ADMIN] => webmaster@pmwiki.org
            [SERVER_NAME] => www.pmwiki.org
            [SERVER_PORT] => 443
            [SERVER_PROTOCOL] => HTTP/1.1
            [SERVER_SIGNATURE] => 
            [SERVER_SOFTWARE] => Apache
            [SSL_TLS_SNI] => www.pmwiki.org
            [TZ] => America/Los_Angeles
            [UNIQUE_ID] => afLA2UJN2y3qs35RoCX_VwAAAFE
            [PHP_SELF] => /index.php
            [REQUEST_TIME_FLOAT] => 1777516761.54
            [REQUEST_TIME] => 1777516761
            [argv] => Array
                (
                    [0] => n=PITS%2f01114
                )

            [argc] => 1
        )

)