01114: XSS vulnerability in XLPage

Summary: XSS vulnerability in XLPage
Created: 2009-07-12 14:08
Status: Suspended - known issue
Category: Bug
Assigned:
Priority: 3
Version: 2.2.2
OS: Win32/Apache2.2/PHP5.2

Description: <Babelfish>

Even though I am slowly beginning to annoy, but I have another XSS vulnerability in XLPage found:
In my config.php I have an entry: XLPage('de','PmWikiDe.XLPage');
And then I just PmWikiDe.XLPage in the following entry made: 'XSS' => '<script>alert("XSS")</script>',
And yes, you can call it with: $[XSS]
This bug has been PmWiki 2.0.beta44 up to the latest version 2.2.2 available.

</Babelfish>


<German>

Auch wenn ich langsam anfange zu nerven, aber ich habe wieder eine XSS-Schwachstelle in XLPage gefunden:
In meiner config.php habe ich einen Eintrag: XLPage('de','PmWikiDe.XLPage');
Und dann habe ich einfach mal in PmWikiDe.XLPage folgenden Eintrag gemacht: 'XSS' => '<script>alert("XSS")</script>',
Und ja, aufrufen kann man es dann mit: $[XSS]
Dieser Bug ist seit PmWiki 2.0.beta44 bis zur aktuellen Version 2.2.2 vorhanden.

</German>

It is not annoying, on the contrary. I just wonder if I should cut the next 2.2.3 release or wait a couple of hours more, just in case you find another bug... :-) Thanks, again!! --Petko July 12, 2009, at 02:33 PM

Discussion

Hi, unfortunately my fix broke HTML entities in XLPage translations. I also talked with Pm who suggested to revert it. So it is back to not escaping these strings. Comments/suggestions will be welcome. --Petko July 16, 2009, at 01:23 PM

  • pmichaud: fwiw: the fact that XLPages provided some vulnerabilities was a known issue, it was something I wasn't too worried about fixing.
  • pmichaud: I.e., the solution was intended to be "make sure the XLPages are locked"
  • petko: would it hurt to str_replace < and > ?
  • petko: with &lt; and &gt;
  • pmichaud: I think yes, because some of the XLPage entries have HTML tags in them
  • petko: well, that would allow <script...
  • pmichaud: right -- as I said, it's a somewhat known vulnerability
  • pmichaud: and the answer was "lock the XLPages"
  • pmichaud: the fact that they're unlocked on pmwiki.org is really meant to indicate that I'm willing to live with the vulnerability there.
  • petko: so, I'll revert it to the previous state? I am also fine with it, I am not worried about XSS coming from XLPage
  • pmichaud: that seems easiest to me.
  • pmichaud: perhaps we should have the code that generates the i18n files automatically @lock the pages