couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kyle Snavely (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (COUCHDB-2232) Escape HTML when rendering XSS targets
Date Thu, 01 May 2014 18:21:14 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-2232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kyle Snavely updated COUCHDB-2232:
----------------------------------

    Description: 
XSS payloads such as '\"><img src=%3Dx onerror%3Dprompt(%2Fxss%2F)>' can be used
with malicious intent in documents.

When rendered unescaped in Fauxton the JS is executed. To reproduce, use the above string
as a new document ID in Fauxton.

This affects the _id field of documents, normal, ddoc, replicator docs...

Other rendered data may be affected. I noticed I can create couch users with the above string
as a name.

I have a branch with basic fixes, using <%- in place of <%= where appropriate in templates.
I'm still getting my Fauxton dev stack set back up so I haven't yet run the tests or inspected
things locally.

I am not familiar with the codebase but I'd like to point out the possible sore spots. Branch
notes:
  - https://github.com/ksnavely/couchdb/compare/30460-XSS-substitutions
  - I tried to not be super heavy handed, only using <%- for values that
    could be set with XSS payloads or otherwise come from a user/data.
  - There are a few spots where I wasn't sure:
      -- src/fauxton/app/addons/config/templates/item.html
      -- src/fauxton/app/addons/documents/templates/changes.html
  - Perhaps safeURLName can escape on <, > as well?
      -- https://github.com/apache/couchdb-fauxton/blob/4ab2cde647b7712e262f8e4567ae835deff66a8c/app/core/utils.js#L85

I'll do another run through looking for '<%=' and updating as appropriate.

  was:
XSS payloads such as '\"><img src=%3Dx onerror%3Dprompt(%2Fxss%2F)>' can be used
with malicious intent in documents.

When rendered unescaped in Fauxton the JS is executed. To reproduce, use the above string
as a new document ID in Fauxton.

This affects the _id field of documents, normal, ddoc, replicator docs...

Other rendered data may be affected. I noticed I can create couch users with the above string
as a name.

I have a branch with basic fixes, using <%- in place of <%= where appropriate in templates.
I'm still getting my Fauxton dev stack set back up so I haven't yet run the tests or inspected
things locally.

I am not familiar with the codebase but I'd like to point out the possible sore spots. Branch
notes:
  - https://github.com/ksnavely/couchdb/compare/30460-XSS-substitutions
  - I tried to not be super heavy handed, only using <%- for values that
    could be set with XSS payloads or otherwise come from a user/data.
  - There are a few spots where I wasn't sure:
      -- src/fauxton/app/addons/config/templates/item.html
      -- src/fauxton/app/addons/documents/templates/changes.html
  - Perhaps safeURLName can escape on <, > as well?
      --https://github.com/apache/couchdb-fauxton/blob/4ab2cde647b7712e262f8e4567ae835deff66a8c/app/core/utils.js#L85

I'll do another run through looking for '<%=' and updating as appropriate.


> Escape HTML when rendering XSS targets
> --------------------------------------
>
>                 Key: COUCHDB-2232
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2232
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Fauxton
>            Reporter: Kyle Snavely
>
> XSS payloads such as '\"><img src=%3Dx onerror%3Dprompt(%2Fxss%2F)>' can be
used with malicious intent in documents.
> When rendered unescaped in Fauxton the JS is executed. To reproduce, use the above string
as a new document ID in Fauxton.
> This affects the _id field of documents, normal, ddoc, replicator docs...
> Other rendered data may be affected. I noticed I can create couch users with the above
string as a name.
> I have a branch with basic fixes, using <%- in place of <%= where appropriate in
templates. I'm still getting my Fauxton dev stack set back up so I haven't yet run the tests
or inspected things locally.
> I am not familiar with the codebase but I'd like to point out the possible sore spots.
Branch notes:
>   - https://github.com/ksnavely/couchdb/compare/30460-XSS-substitutions
>   - I tried to not be super heavy handed, only using <%- for values that
>     could be set with XSS payloads or otherwise come from a user/data.
>   - There are a few spots where I wasn't sure:
>       -- src/fauxton/app/addons/config/templates/item.html
>       -- src/fauxton/app/addons/documents/templates/changes.html
>   - Perhaps safeURLName can escape on <, > as well?
>       -- https://github.com/apache/couchdb-fauxton/blob/4ab2cde647b7712e262f8e4567ae835deff66a8c/app/core/utils.js#L85
> I'll do another run through looking for '<%=' and updating as appropriate.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message