Ticket #92 (closed defect: fixed)

Opened 13 months ago

Last modified 13 months ago

Multiple cross-site scripting attacks in login

Reported by: wcummings Owned by: hbock
Priority: major Milestone: Periscope 0.10
Component: Periscope Keywords:
Cc:

Description

The login page can be exploited to execute arbitrary javascript both before (XSS through the login page, as unsanitized input is passed directly into HTML) and after the login (by passing javascript into the http header generated by hunchentoot). The former allows for an attacker to redirect users to a phoney login page etc., and the latter allows for a traditional session hijacking XSS attack (though hunchentoot does filter out newlines, so http splitting is not possible as far as I can tell).

Change History

Changed 13 months ago by wcummings

XSS through unsanitized input appearing in the HTML of the login page:
http://www.grizzlor.org:20570/login?denied=login&redirect=%27%3E%3Cscript%3Ealert(%27lol%27);%3C/script%3E

XSS through headers:

http://grizzlor.org:20570/login?denied=login&redirect=javascript:alert(%22uh%20oh%22);

$ curl -D - -d 'username=user&password=pass&redirect=javascript:alert("uh oh");' "http://grizzlor.org:20570/do-login"
HTTP/1.1 302 Moved Temporarily
Content-Length: 330
Date: Wed, 12 Aug 2009 02:42:36 GMT
Server: Hunchentoot 1.0.0
Connection: Close
Location: javascript:alert("uh oh");
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: hunchentoot-session=26%3ABFB9F8C24BB276561EC57969FD8002AE; path=/

...

Changed 13 months ago by hbock

  • owner changed from harry@… to hbock
  • status changed from new to accepted
  • milestone set to Periscope 0.10

Need to ESCAPE-STRING the redirect parameter in /login. See lisp/users.lisp.

Changed 13 months ago by hbock

  • status changed from accepted to closed
  • resolution set to fixed

Fixed by Sam; see commit. Sanitized with ESCAPE-STRING.

Note: See TracTickets for help on using tickets.