Ticket #2336 (new defect)

Opened 1 year ago

Last modified 1 year ago

possible security hole in default error handler

Reported by: diefans Assigned to: mramm
Priority: highest Milestone: 2.0.* bugfix
Component: TurboGears Version: 2.0
Severity: critical Keywords: javascript injection
Cc:

Description (Last modified by jorge.vargas)

Hello,

It is possible to inject executable Javascript-Code into an error page generated by the default ErrorController?.document method. Just put the code into the message URL parameter.

This is because:

  1. the error handler uses manipulatable request parameters
  2. the template shows those possible manipulated parameters as XML and not as escaped HTML/XML (IMHO quite irresponsible)

Since the error handling will be the last point where developers put attention to, even some will ignore it completely or use these defaults, this could be a sleeping vulnerablity to many of them.

Attachments

screenshot1.png (32.5 kB) - added by diefans on 06/20/09 06:57:59.
just to see

Change History

06/19/09 19:48:26 changed by jorge.vargas

  • version changed from 2.0b7 to 2.0.
  • description changed.
  • milestone set to 2.0.

I'm not entirely sure this is accurate. Will ask a genshi expert.

06/19/09 21:02:02 changed by jorge.vargas

Could you provide an example call to that controller that will display an alert() window? From looking at how it is handle it should not be possible to put that in the URL as it is an indirection call to the errormiddleware. Neither GET or POST.

http://localhost:8080/error/document?status_int=3

returns AttributeError?: 'NoneType?' object has no attribute 'status_int' with WebError? on.

06/20/09 06:57:59 changed by diefans

  • attachment screenshot1.png added.

just to see

06/20/09 07:02:41 changed by diefans

lets say you have an application where you serve files and when a wrong file id is requested you serve an 404 error by calling: 

raise HTTPNotFound

on that page you can append a message parameter like 

http://localhost:8080/file?id=invalid&message=%3Cscript%20type=%22text/javascript%22%3Ealert(%27test%27)%3C/script%3E

this is my error document method as it was created by quickstart. As you can see the URL parameter "message" is forwarded to the template as it is: 

def document(self, *args, **kwargs):
        """Render the error document"""
        resp = request.environ.get('pylons.original_response')
        default_message = ("<p>We're sorry but we weren't able to process "
                           " this request.</p>")
        values = dict(prefix=request.environ.get('SCRIPT_NAME', ''),
                      code=request.params.get('code', resp.status_int),
                      message=str(request.params.get('message', default_message)))
        return values

this is the error template as it was created by quickstart: 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
                      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:py="http://genshi.edgewall.org/"
      xmlns:xi="http://www.w3.org/2001/XInclude">

  <xi:include href="master.html" />

<head>
  <meta content="text/html; charset=UTF-8" http-equiv="content-type" py:replace="''"/>
  <title>A ${code} Error has Occurred </title>
</head>

<body>
<h1>Error ${code}</h1>

<div>${XML(message)}</div>
</body>
</html>

the relevant part is: 

<div>${XML(message)}</div>

which means, that everything in message is considered to be valid XML and is inserted that way. At the end you have the following code in your error page: 

<div id="content">
<h1>Error 404</h1>

<div><script type="text/javascript">alert('test')</script></div>
    <div class="clearingdiv"></div>
    <!-- End of content -->
  </div>

it's a security hole, because unplanned and unwanted events may occur on that Page...

09/16/09 18:10:30 changed by Chris Arndt

  • owner set to mramm.

This seems like a serious issue. Though to exploit it as an XSS attack the attacker must be able to plant a forged URL on the victim.

09/17/09 02:42:48 changed by diefans

Just imagine a Blog where a commentator is able to post links or to enter his "own" website...

10/01/09 15:36:56 changed by Chris Arndt

  • milestone changed from 2.0 to 2.* bugfix.