Opened 6 years ago

Closed 6 years ago

#9734 closed defect (fixed)

DOM injection vulnerability in NoteBox.expand_macro()

Reported by: Alex Willmer Owned by: Ryan J Ollos
Priority: high Component: NoteBoxMacro
Severity: critical Keywords: security
Cc: Ryan J Ollos Trac Release: 0.11


NoteBox.expand_macro() performs string concatenation to construct a div element, as result it is possible to inject javascript into the page and have it executed. The following invocation demonstrates this:

[[NoteBox("></div><script type="text/javascript">alert("Javacript Injection Ahoy!")</script><div class="noteboxwarn, Don't care about this text)]]

Attached is a patch that removes the use of StringIO and should make the macro safe for use.

Attachments (1)

th9734_noteboxplugin_dom_injection_fix.patch (1.4 KB) - added by Alex Willmer 6 years ago.

Download all attachments as: .zip

Change History (4)

Changed 6 years ago by Alex Willmer

comment:1 Changed 6 years ago by Ryan J Ollos

Owner: changed from gruenebe to Ryan J Ollos
Status: newassigned

Just to confirm, this was the same issue noted in this mailing list post?

comment:2 Changed 6 years ago by Ryan J Ollos

Priority: normalhigh
Severity: normalcritical

comment:3 Changed 6 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

(In [11211]) Fixes #9734: (0.2dev) Applied patch by willmerae. Fixed DOM Injection vulnerability by replacing string concatenation with proper use of functions in the Trac API. Removed some unnecessary imports.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.