Ticket #9734 (closed defect: fixed)

Opened 4 months ago

Last modified 4 months ago

DOM injection vulnerability in NoteBox.expand_macro()

Reported by: willmerae Assigned to: rjollos
Priority: high Component: NoteBoxMacro
Severity: critical Keywords: security
Cc: rjollos Trac Release: 0.11

Description

NoteBox.expand_macro() performs string concatenation to construct a div element, as result it is possible to inject javascript into the page and have it executed. The following invocation demonstrates this: 

[[NoteBox("></div><script type="text/javascript">alert("Javacript Injection Ahoy!")</script><div class="noteboxwarn, Don't care about this text)]]

Attached is a patch that removes the use of StringIO and should make the macro safe for use.

Attachments

th9734_noteboxplugin_dom_injection_fix.patch (1.4 kB) - added by willmerae on 01/27/12 18:20:10.

Change History

01/27/12 18:20:10 changed by willmerae

  • attachment th9734_noteboxplugin_dom_injection_fix.patch added.

01/27/12 18:25:49 changed by rjollos

  • owner changed from gruenebe to rjollos.
  • status changed from new to assigned.

Just to confirm, this was the same issue noted in this mailing list post?

01/28/12 18:58:38 changed by rjollos

  • priority changed from normal to high.
  • severity changed from normal to critical.

01/28/12 19:23:49 changed by rjollos

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [11211]) Fixes #9734: (0.2dev) Applied patch by willmerae. Fixed DOM Injection vulnerability by replacing string concatenation with proper use of functions in the Trac API. Removed some unnecessary imports.

Add/Change #9734 (DOM injection vulnerability in NoteBox.expand_macro())




Change Properties
Action