Edgewall Software
Modify

Opened 8 years ago

Closed 7 years ago

#10114 closed defect (fixed)

The html macro does not sanitize behaviour:url in style attributes

Reported by: anonymous Owned by: Remy Blank
Priority: normal Milestone: 0.12.3
Component: wiki system Version:
Severity: normal Keywords: xss ie security
Cc:
Release Notes:

Fixed a XSS vulnerability on IE.

API Changes:

Description (last modified by Remy Blank)

The html macro does not sanitize behaviour:url in style attributes… so the following

<div style="behavior:url(test.txt)"> 

could be used to potentially xss a user using IE.

The content of text.txt could be something like this:

<SCRIPTLET>
<IMPLEMENTS Type="Behavior"></IMPLEMENTS>
<SCRIPT Language="javascript">alert(1)</SCRIPT>
</SCRIPTLET>

Source: http://heideri.ch/jso/#52

Attachments (0)

Change History (3)

comment:1 Changed 8 years ago by db.pub.mail@…

just commenting here so… i will get an email about this ticket .

comment:2 Changed 8 years ago by Remy Blank

Component: generalwiki system
Keywords: xss added
Milestone: 0.12.3
Owner: set to Remy Blank

Great, another IE failure… Thanks for the heads-up.

comment:3 Changed 7 years ago by Remy Blank

Description: modified (diff)
Keywords: ie security added
Release Notes: modified (diff)
Resolution: fixed
Status: newclosed

Verified with IE8, and fixed in [10680].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Remy Blank.
The resolution will be deleted.
to The owner will be changed from Remy Blank to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.