Modify

Opened 12 years ago

Closed 12 years ago

#9734 closed defect (fixed)

DOM injection vulnerability in NoteBox.expand_macro()

Reported by: Alex Willmer Owned by: Ryan J Ollos
Priority: high Component: NoteBoxMacro
Severity: critical Keywords: security
Cc: Ryan J Ollos Trac Release: 0.11

Description

NoteBox.expand_macro() performs string concatenation to construct a div element, as result it is possible to inject javascript into the page and have it executed. The following invocation demonstrates this: 

[[NoteBox("></div><script type="text/javascript">alert("Javacript Injection Ahoy!")</script><div class="noteboxwarn, Don't care about this text)]]

Attached is a patch that removes the use of StringIO and should make the macro safe for use.

Attachments (1)

th9734_noteboxplugin_dom_injection_fix.patch (1.4 KB) - added by Alex Willmer 12 years ago.

Download all attachments as: .zip

Change History (4)

Changed 12 years ago by Alex Willmer

Attachment: th9734_noteboxplugin_dom_injection_fix.patch added

comment:1 Changed 12 years ago by Ryan J Ollos

Owner: changed from gruenebe to Ryan J Ollos
Status: newassigned

Just to confirm, this was the same issue noted in this mailing list post?

comment:2 Changed 12 years ago by Ryan J Ollos

Priority: normalhigh
Severity: normalcritical

comment:3 Changed 12 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

(In [11211]) Fixes #9734: (0.2dev) Applied patch by willmerae. Fixed DOM Injection vulnerability by replacing string concatenation with proper use of functions in the Trac API. Removed some unnecessary imports.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.