Modify

Opened 10 years ago

Closed 10 years ago

#1581 closed defect (fixed)

TagsPlugin vulnerable against XSS

Reported by: muelli Owned by: Alec Thomas
Priority: highest Component: TagsPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.10

Description

If you search for <u>xss</u> you will see, that special HTML characters won't be escaped. See

and

Although this TagsPlugin (at trac-hacks.org) seems to delete <script>, others won't.

Since you can steal login data from, this is a security-issue with a high severity.

Attachments (0)

Change History (6)

comment:1 Changed 10 years ago by Alec Thomas

Priority: normalhighest

comment:2 Changed 10 years ago by Alec Thomas

Status: newassigned

comment:3 Changed 10 years ago by Alec Thomas

Resolution: fixed
Status: assignedclosed

(In [2268]) Fix for XSS vulnerability. Closes #1581.

comment:4 Changed 10 years ago by Alec Thomas

Hi. Please try r2268 and let me know if that fixes the problem.

comment:5 Changed 10 years ago by muelli@…

Resolution: fixed
Status: closedreopened

Hi. That was a quick response!

Actually it doesn't work for me :-\ And as I think you deployed this update here as well, you can see, that it does not work.

But following the changes, using escape should be fine. cgi.escape should be fine as well, since we don't need to escape everything (thanks to unicode :) ).

But I might have installed the plugin the wrong way :-\ One could refer to t.e.o on [TagsPlugin/Installation] for convenience.

I'll restart the webserver and reinstall the plugin and report.

Maybe others can confirm, that this bug is closed?

Since I haven't seen any working version right now, I have reopened the ticket.

comment:6 Changed 10 years ago by muelli@…

Resolution: fixed
Status: reopenedclosed

oh, you were right.

After restarting the webserver and deleting modules cache several times, I finally made it.

It works now. Thanks for that very quick fix!

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Alec Thomas.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.