• View
• Edit
• History
• Attach
• Print

01266

Description:

"?action=refcount" produces invalid XHTML. It looks like "HTML 4.01 Transitional", but PmWiki uses "XHTML 1.0 Transitional". So the function PrintRefCount() in scripts/refcount.php requires an "update":

• Each empty tag like <input>, <br>, <hr> etc requires an ending it with "/>".
• <option> lists must be closed by a </option>
• minimized attributes like "checked", "selected" etc must be written as "checked='checked'"
• <p> must be closed by </p>

Maybe there are other flaws to be verified, but the few are the obvious ones I've seen.

Additionally there are two other bugs in there:

1. <form method='post'>
   A <form> requires an "action" attribute, otherwise the W3C markup validator claims an error. Should be $_SERVER['REQUEST_URI'] or similar.
2. <input type='hidden' action='refcount'>
   There's no attribute "action". It should be
   <input type='hidden' name='action' value='refcount' />

Verifying is easy:

• Visit http://validator.w3.org/ ,
• then enter "http://www.pmwiki.org/wiki/?action=refcount"
• and finally "Check".

You'll get 371 errors (by now).

• Then remove the "?action=refcount" portion
• and "Revalidate".

You'll get "This document was successfully checked as XHTML 1.0 Transitional!"

Thanks! The action now validates, but there still may be some forgotten bug. :-) --Petko September 22, 2011, at 05:14 PM

XSS can easily happen in the <option> values - check the $tlist and $flist processing if you're bored right now ;)
RRipley 2011-09-22 22:30 UTC

At the moment I don't see how, the option values and labels come from the internal ListPages() function, not from $_REQUEST (it is only checked to enable "selected" options). --Petko September 22, 2011, at 05:55 PM

You are right. There's no direct XSS entry point since the $GroupPattern and $NamePattern do not allow HTML markup characters. So, refcount can be declared fixed.
RRipley 2011-09-23 06:10 UTC