Modify

Opened 3 years ago

Closed 3 years ago

#9734 closed defect (fixed)

DOM injection vulnerability in NoteBox.expand_macro()

Reported by: willmerae Owned by: rjollos
Priority: high Component: NoteBoxMacro
Severity: critical Keywords: security
Cc: rjollos Trac Release: 0.11

Description

NoteBox.expand_macro() performs string concatenation to construct a div element, as result it is possible to inject javascript into the page and have it executed. The following invocation demonstrates this:

[[NoteBox("></div><script type="text/javascript">alert("Javacript Injection Ahoy!")</script><div class="noteboxwarn, Don't care about this text)]]

Attached is a patch that removes the use of StringIO and should make the macro safe for use.

Attachments (1)

th9734_noteboxplugin_dom_injection_fix.patch (1.4 KB) - added by willmerae 3 years ago.

Download all attachments as: .zip

Change History (4)

Changed 3 years ago by willmerae

comment:1 Changed 3 years ago by rjollos

  • Owner changed from gruenebe to rjollos
  • Status changed from new to assigned

Just to confirm, this was the same issue noted in this mailing list post?

comment:2 Changed 3 years ago by rjollos

  • Priority changed from normal to high
  • Severity changed from normal to critical

comment:3 Changed 3 years ago by rjollos

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [11211]) Fixes #9734: (0.2dev) Applied patch by willmerae. Fixed DOM Injection vulnerability by replacing string concatenation with proper use of functions in the Trac API. Removed some unnecessary imports.

Add Comment

Modify Ticket

Action
as closed The owner will remain rjollos.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.