Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Collin 42 posts 62 karma points
    Nov 17, 2011 @ 14:29
    Collin
    0

    Writing patch for XSS scripting exploit in backend

    If you save the following string "<script>alert("Booh!")</script>" in the field "name" of a document in the properties tab. This script will be executed every time the document is displayed in the content navigation tree (umbraco 4.7.0).

    This can be used to compromise logins of cms users if an hacker manages to get this stored in the database (please note that packages or custom components have access to this field and can present a potential entry point for a hacker).

    Considering I'm not getting any response on this from the community or Umbraco for this bug submit/report. Is there a way for me to create a plugin that checks this?

  • Siw Ørnhaug 130 posts 109 karma points
    Jan 16, 2013 @ 12:48
    Siw Ørnhaug
    0

    Hi Collin, did you ever get any answer or see another post on the same issue?

  • Ian 32 posts 82 karma points
    Jan 17, 2013 @ 10:45
    Ian
    0

    I just started a thread about this in 'General'. Its a bug isn't it?

  • Collin 42 posts 62 karma points
    Jan 18, 2013 @ 13:49
    Collin
    0

    I wrote a patch for this myself after finding documentation on Umbraco event handlers.

    The patch itself is extremely simple:

            void Document_BeforeSave(Document sender, umbraco.cms.businesslogic.SaveEventArgs e)
            {
                sender.Text = StringFunctions.StripDangerousHTMLTags(sender.Text);
            }

    I added this to the following class:

            public class UmbracoEventHandlers : ApplicationBase

    Which then calls the following initilizer:

            public UmbracoEventHandlers()
            {
                Document.BeforeSave += new Document.SaveEventHandler(Document_BeforeSave);
            }

    How everything ties in and works with Umbraco can be found in their documentation. But this should help anyone who wants to solve the same issue.

    Please note that StripDangerousHTMLTags is a custom method that was available to me in this project (it removes, among other things, the < and > charachters).

    And yes, I consider this indeed to be a bug as this isn't caught during rendering.

  • Ian 32 posts 82 karma points
    Jan 18, 2013 @ 13:56
    Ian
    0

    That's cool although I don't think it really solves the problem. What should happen is that the text to save is preserved but that when it is rendered out to the page it should be HTML encoded. This is what happens throughout the rest of the site. Ultimately, a user might want to have special characters appear in the text.

  • Siw Ørnhaug 130 posts 109 karma points
    Jan 18, 2013 @ 14:00
    Siw Ørnhaug
    0

    Are you sure that this isn't fixed in the latest versions? I haven't upgraded further than to 4.7.2 myself.

    We recently had hacker attacks on a specific Umbraco installation and had to review access policies together with the web hosting people.

    I'm not a specialist in the web security field, but I scanned around wiki and forum to find as much info as possible. To me the relevant info seemed scattered and unorganized. I find it strange that no one tried to compile it, and it should be clear which versions specific vulnerabilities and specific remedies apply to. On our Umbraco server we now run the backend login with SSL and a separate certificat, pluss we tightened folder accesses to the bare necessities. I hope.

    But I suspect these actions are not enough.

     

  • Collin 42 posts 62 karma points
    Jan 18, 2013 @ 15:36
    Collin
    0

    @Ian: This was the most pragmatic solution for the case we had. I know this might not be ideal for everyone. I can recommend checking rest of the Umbraco events that are available as there are events that are triggered during rendering.

    @Siw: I don't know if it is fixed in the latest release, you would need to ask Umbraco.

  • Ian 32 posts 82 karma points
    Jan 22, 2013 @ 13:20
    Ian
    0

    I just downloaded Umbraco from the website and installed a new instance. The problem actually seems worse! Now the node with the script tag for a name doesn't even seem to load.

  • Ian 32 posts 82 karma points
    Jan 24, 2013 @ 10:08
    Ian
    0

    I noticed that the admin area Html editor does a fairly good job of filtering out javascripts. (It misses "<a href="javas cript:alert('hello');">" though!) and it made me think that it would be cool to be able to mark Umbraco fields as 'allowing Html' or something and have it automatically validate input appropriately.

    Why would anyone ever want the '<' character in a page name?

Please Sign in or register to post replies

Write your reply to:

Draft