librelist archives

XSS hole

XSS hole by Dylan Grose
- Re: XSS hole by Zed A. Shaw
  - Re: XSS hole by Zed A. Shaw
    - Re: XSS hole by Dylan Grose
      - Re: XSS hole by Zed A. Shaw
        
        Re: XSS hole by Dylan Grose
- Re: XSS hole by Zed A. Shaw

XSS hole

From:: Dylan Grose
Date:: 2010-01-19 @ 05:35

I'm assuming the archive browser generation code does no mail content
sanitising since it displays HTML verbatim. I'm sure you know this already.

Dylan

Re: XSS hole

From:: Zed A. Shaw
Date:: 2010-01-19 @ 06:23

On Tue, Jan 19, 2010 at 12:35:01AM -0500, Dylan Grose wrote:
> I'm assuming the archive browser generation code does no mail content
> sanitising since it displays HTML verbatim. I'm sure you know this already.

Oh give me a goddamned break.  If you inject into the dom it executes
javascript no matter what.  Why the hell did I do that?

Ok, I'll do a quick fix but I'm sure there's more where that came from.

-- 
Zed A. Shaw
http://zedshaw.com/

Re: XSS hole

From:: Zed A. Shaw
Date:: 2010-01-19 @ 06:37

On Mon, Jan 18, 2010 at 10:23:30PM -0800, Zed A. Shaw wrote:
> On Tue, Jan 19, 2010 at 12:35:01AM -0500, Dylan Grose wrote:
> > I'm assuming the archive browser generation code does no mail content
> > sanitising since it displays HTML verbatim. I'm sure you know this already.
> 
> Oh give me a goddamned break.  If you inject into the dom it executes
> javascript no matter what.  Why the hell did I do that?
> 
> Ok, I'll do a quick fix but I'm sure there's more where that came from.

Alright, fixed for now.  I'm escaping the usual &<> chars.  I really
need to get in and either rip that thing down or officialize it and do
it right.

Thanks again.

-- 
Zed A. Shaw
http://zedshaw.com/

Re: XSS hole

From:: Dylan Grose
Date:: 2010-01-19 @ 06:42

Yeah, it's fairly rough around the edges, but it gets the job done for the
most part (besides glaring security holes). I might suggest just making it
static rather than loading on the Ajax.

Dylan

On Tue, Jan 19, 2010 at 1:37 AM, Zed A. Shaw <zedshaw@zedshaw.com> wrote:

> On Mon, Jan 18, 2010 at 10:23:30PM -0800, Zed A. Shaw wrote:
> > On Tue, Jan 19, 2010 at 12:35:01AM -0500, Dylan Grose wrote:
> > > I'm assuming the archive browser generation code does no mail content
> > > sanitising since it displays HTML verbatim. I'm sure you know this
> already.
> >
> > Oh give me a goddamned break.  If you inject into the dom it executes
> > javascript no matter what.  Why the hell did I do that?
> >
> > Ok, I'll do a quick fix but I'm sure there's more where that came from.
>
> Alright, fixed for now.  I'm escaping the usual &<> chars.  I really
> need to get in and either rip that thing down or officialize it and do
> it right.
>
> Thanks again.
>
> --
> Zed A. Shaw
> http://zedshaw.com/
>

Re: XSS hole

From:: Zed A. Shaw
Date:: 2010-01-19 @ 06:44

On Tue, Jan 19, 2010 at 01:42:20AM -0500, Dylan Grose wrote:
> Yeah, it's fairly rough around the edges, but it gets the job done for the
> most part (besides glaring security holes). I might suggest just making it
> static rather than loading on the Ajax.

How would that solve the problem?  I'd end up doing the same scrubbing
on the backend as on the front end, so kind of pointless.

-- 
Zed A. Shaw
http://zedshaw.com/

Re: XSS hole

From:: Dylan Grose
Date:: 2010-01-19 @ 06:52

That was actually a general comment; not especially constructive of course.
:)

I should have added an emoticon to the first sentence of that message to
decrease the ambiguity of my sarcasm.

Dylan

On Tue, Jan 19, 2010 at 1:44 AM, Zed A. Shaw <zedshaw@zedshaw.com> wrote:

> On Tue, Jan 19, 2010 at 01:42:20AM -0500, Dylan Grose wrote:
> > Yeah, it's fairly rough around the edges, but it gets the job done for
> the
> > most part (besides glaring security holes). I might suggest just making
> it
> > static rather than loading on the Ajax.
>
> How would that solve the problem?  I'd end up doing the same scrubbing
> on the backend as on the front end, so kind of pointless.
>
>
> --
> Zed A. Shaw
> http://zedshaw.com/
>

Re: XSS hole

From:: Zed A. Shaw
Date:: 2010-01-19 @ 06:19

On Tue, Jan 19, 2010 at 12:35:01AM -0500, Dylan Grose wrote:
> I'm assuming the archive browser generation code does no mail content
> sanitising since it displays HTML verbatim. I'm sure you know this already.

Nope, hadn't actually thought it'd inject directly.  I'll disable it for
now until I can fix it.  Thanks again.

-- 
Zed A. Shaw
http://zedshaw.com/