Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 2.5 RC1
Affects Version/s: 2.3.2, 2.4, 2.5 M1
Component/s: Web - Templates & Resources, WYSIWYG Editor
Labels:
None

keywords:
security, xss, wysiwyg
Difficulty:
Medium
Similar issues:

Description

This template needs to return the unescaped user input for WYSIWYG editor needs. Unfortunately it is also accessible for the attacker from anywhere else.

Injection with render=false is trivial via key=bla&source=your_script, render=true needs a bit more work.

Examples:

http://localhost:8080/xwiki/bin/view/Main/?xpage=wysiwyginput&key=bla&html=%3Cimg%20src=%22http://localhost:8080/xwiki/skins/colibri/logo.png%22%20onload=%22alert%281%29;%22%2f%3E&render=true
http://localhost:8080/xwiki/bin/view/Main/?xpage=wysiwyginput&key=bla&source=<script>alert(1)<%2fscript>

Ideas to fix:

force render=true for source parameter
use secret token (or similar session id) to distinguish request coming from wysiwyg editor from the rest

Attachments

Activity

People

Assignee:: Marius Dumitru Florea

Reporter:: Alex Busenius

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Sep/10 15:58

Updated:: 02/Dec/22 10:55

Resolved:: 11/Oct/10 12:43

Date of First Response:: 08/Oct/10 3:59 PM