Recent Changes - Search:

PITS main list

edit sidebar

Main sidebar

PmWiki

pmwiki.org

PITS /

01260

Summary: Vulnerability to relative links
Created: 2011-07-18 10:01
Status: Closed -- fixed for 2.2.28
Category: Bug
From: Michael Engelke
Assigned:
Priority: 3
Version: 2.2.27
OS: Win32/Apache 2.2.18 PHP 5.2.17

Description:
I've discovered vulnerabilities, where one can sit without limitation any link. Normally, when activated UrlApprove not possible to put new unknown links. But with the help of the Path:, you can bypass the lock: 

* [[http://www.evil.com]]
* [[(Path:)http://www.evil.com]]

But not enough, you can also link to any protocol: 

* [[Path:skype:BigBadBrain?call|Call BigBadBrain]]
* [[Path:javascript:alert%28%22Hello%20Script%22%29|JavaScript-Uri]]
*
[[Path:data:text/html,<h1>Hello%20World!</h1><script>alert%28%22Hello%20Script!%22%29</script>|Data-Uri]]
*
[[Path:javascript:document.getElementsByTagName%28%22body%22%29%5b0%5d.setAttribute%28%22text%22,%22red%22%29|Set
Text-Color to red]]

Since Path: originally designed only for relative links, one should check whether the links with a start "." or a start "/": 

* [[Path:./]], [[Path:../]] (Relative)
*
[[Path:/pmwiki/pub/skins/pmwiki/pmwiki-32.gif]]
(Absolute)

</Babelfish>

<German>

Schwachstelle in relativen Links

Ich habe Schwachstelle entdeckt, wo man ohne Einschränkungen beliebige Links setzen kann. Normalerweise ist bei aktivierten UrlApprove nicht möglich neue unbekannte links zu setzen. Aber mit Hilfe von Path:, kann man die sperren umgehen: 

* [[http://www.evil.com]]
* [[(Path:)http://www.evil.com]]

Damit nicht genug, man kann auch auf beliebige Protokolle verlinken: 

* [[Path:skype:BigBadBrain?call|Call BigBadBrain]]
* [[Path:javascript:alert%28%22Hello%20Script%22%29|JavaScript-Uri]]
*
[[Path:data:text/html,<h1>Hello%20World!</h1><script>alert%28%22Hello%20Script!%22%29</script>|Data-Uri]]
*
[[Path:javascript:document.getElementsByTagName%28%22body%22%29%5b0%5d.setAttribute%28%22text%22,%22red%22%29|Set
Text-Color to red]]

Da Path: eigentlich nur für relative Links gedacht ist, sollte man Prüfen, ob die Links mit einen "." oder einen "/" beginnen: 

* [[Path:./]], [[Path:../]] (Relative)
*
[[Path:/pmwiki/pub/skins/pmwiki/pmwiki-32.gif]]
(Absolute)

</German>

This bug was fixed for version 2.2.28 (if the link starts with "protocol:", the column ":" will be urlencoded to "%3A"). Thanks and keep up the good work! --Petko July 20, 2011, at 04:15 PM

Edit - History - Print - Recent Changes - Search
Page last modified on September 10, 2011, at 11:56 AM