[pLog-svn] xss in 1.2.7
Reto Hugi
plog at hugi.to
Mon May 5 17:01:43 EDT 2008
On 05/05/2008 10:03 PM, Jon Daley wrote:
> On Sat, 3 May 2008, Mark Wu wrote:
>> But, the problem is he can do the same thing with template editor .... I
>> have no idea how to prevent ...
>
> And this is because this input can't have html filtered out,
> right?
>
> What if we go back to the nonce/time-based keys that we talked
> about before? That can filter out lots of bad requests, can't it?
yes, that would prevent CSRF
(http://en.wikipedia.org/wiki/Cross-site_request_forgery). But in most
cases CSRF countermeasures become useless if you have XSS
vulnerabilities (remember: XSS means code injection in your html, means
possibility to grab nonces etc...)
please don't ask for a PoC, I know it's not that simple :)
Anyway: the CSRF Project for 2.0 has not died. I'm just stuck with
implementing a Requestgenerator as Oscar suggested instead of simply
adding &nonce={$nonce} to each request on each admin page.
But back to the Template Editor:
You need to encode your HTML stuff anyway (you display it within a
textarea) so I don't see why the template editor should be anything
different...
More information about the pLog-svn
mailing list