[typo] XSS vulnerability?

Andrey Nikanorov nikanorov at gmail.com
Sat Nov 26 18:55:49 EST 2005


Ugly temp patch is here: http://typo.leetsoft.com/trac/ticket/551 =)
On 11/27/05, Micah Wylde <wyldeone at gmail.com> wrote:
> JS in comments works on my trunk blog as well. Here's an example of what a
> commenter can do with this:
>
> <script type="text/javascript">
>  element = $("wrapper")
>  Element.hide(element);
>  </script>
>  This causes the whole page to disappear. If this works in production blogs,
> this appears to be a pretty serious hole.
>
>
> On 11/26/05, gpshewan <gpsnospam at gmail.com > wrote:
> > Is this what your after Scott?
> >
> > $ rake
> > /usr/bin/ruby1.8 -Ilib:test
> "/usr/lib/ruby/gems/1.8/gems/rake-0.6.2/
> > lib/rake/rak
> > e_test_loader.rb" "test/unit/article_test.rb" "test/unit/
> > blacklist_pattern_test.
> > rb" "test/unit/category_test.rb" "test/unit/comment_test.rb" "test/
> > unit/configur
> > ation_test.rb" "test/unit/delicious_test.rb" "test/unit/
> > flickr_test.rb" "test/un
> > it/fortythree_test.rb" "test/unit/page_cache_test.rb" "test/unit/
> > page_test.rb" "
> > test/unit/ping_test.rb" "test/unit/resource_test.rb" "test/unit/
> > setting_test.rb"
> > "test/unit/sidebar_test.rb" "test/unit/theme_test.rb" "test/unit/
> > trackback_test
> > .rb" "test/unit/user_test.rb"
> "test/unit/audioscrobbler_test.rb"
> > "test/unit/obse
> > rver_test.rb" "test/unit/tag_test.rb" "test/unit/text_filter_test.rb"
> >
> /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:18:in
> > `require__': no su
> > ch file to load -- http_mock (MissingSourceFile)
> >          from
> /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:
> > 18:in `requ
> > ire'
> >          from
> /usr/lib/ruby/gems/1.8/gems/activesupport-1.2.3/lib/
> > active_support/
> > dependencies.rb:214:in `require'
> >          from ./test/unit/article_test.rb:3
> >          from
> /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> > rake_test_loader.rb
> > :5:in `load'
> >          from
> /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> > rake_test_loader.rb
> > :5
> >          from
> /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> > rake_test_loader.rb
> > :5:in `each'
> >          from
> /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> > rake_test_loader.rb
> > :5
> > /usr/bin/ruby1.8 -Ilib:test
> "/usr/lib/ruby/gems/1.8/gems/rake-0.6.2/
> > lib/rake/rak
> > e_test_loader.rb"
> "test/functional/accounts_controller_test.rb" "test/
> > functional
> > /articles_controller_test.rb" "test/functional/
> > backend_controller_test.rb" "test
> > /functional/theme_controller_test.rb" "test/functional/
> > xml_controller_test.rb" "
> > test/functional/textfilter_controller_test.rb"
> "test/functional/admin/
> > blacklist_
> > controller_test.rb" "test/functional/admin/
> > categories_controller_test.rb" "test/
> > functional/admin/comments_controller_test.rb"
> "test/functional/admin/
> > content_con
> > troller_test.rb"
> "test/functional/admin/general_controller_test.rb"
> > "test/functi
> > onal/admin/themes_controller_test.rb"
> "test/functional/admin/
> > trackbacks_controll
> > er_test.rb"
> "test/functional/admin/users_controller_test.rb" "test/
> > functional/ad
> > min/article_preview_test.rb" "test/functional/admin/
> > pages_controller_test.rb" "t
> > est/functional/admin/resources_controller_test.rb"
> >
> /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:18:in
> > `require__': no such file to load -- dns_mock (MissingSourceFile)
> >          from
> /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:
> > 18:in `require'
> >          from /usr/lib/ruby/gems/1.8/gems/activesupport-
> 1.2.3/lib/
> > active_support/dependencies.rb:214:in `require'
> >          from
> ./test/functional/articles_controller_test.rb:3
> >          from
> /usr/lib/ruby/gems/1.8/gems/activesupport-1.2.3/lib/
> > active_support/dependencies.rb:207:in `load'
> >          from
> /usr/lib/ruby/gems/1.8/gems/activesupport-1.2.3/lib/
> > active_support/dependencies.rb:207:in `load'
> >          from
> /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> > rake_test_loader.rb:5
> >          from /usr/lib/ruby/gems/1.8/gems/rake-
> 0.6.2/lib/rake/
> > rake_test_loader.rb:5:in `each'
> >          from
> /usr/lib/ruby/gems/1.8/gems/rake-0.6.2/lib/rake/
> > rake_test_loader.rb:5
> > rake aborted!
> > Test failures
> >
> >
> >
> > On 26 Nov 2005, at 16:45, Scott Laird wrote:
> >
> > > Argh!  It's supposed to be filtered.  What happens when you run
> > > 'rake'?  There's are several XSS-related tests, do any tests fail?
> > >
> > >
> > > Scott
> > >
> > > On Nov 26, 2005, at 8:28 AM, gpshewan wrote:
> > >
> > >> Not being a javascript expert, how much of a concern is Ticket #551
> > >> that nikanorov just submitted?
> > >>
> > >>> Why when I add comment like ---comment---- <script> alert ("Typo
> > >>> sucks"); </script> ---comment----
> > >>>
> > >>> it works? Are you kidding?
> > >> And he's right ... it does.
> > >>
> > >> Gary
> > >> _______________________________________________
> > >> Typo-list mailing list
> > >> Typo-list at rubyforge.org
> > >> http://rubyforge.org/mailman/listinfo/typo-list
> > >
> > > _______________________________________________
> > > Typo-list mailing list
> > > Typo-list at rubyforge.org
> > > http://rubyforge.org/mailman/listinfo/typo-list
> >
> > _______________________________________________
> > Typo-list mailing list
> > Typo-list at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/typo-list
> >
>
>
>
> --
> Micah Wylde
> _______________________________________________
> Typo-list mailing list
> Typo-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/typo-list
>
>
>


--
Nikanorov Andrey <nikanorov at gmail.com>
http://nikanorov.com
This email is: [ ] blogable [ x ] ask first [ ] private



More information about the Typo-list mailing list