Page MenuHomePhabricator

Adding base64-encoded HTML to a page's source code allows HTML injection
Closed, ResolvedPublic

Description

Author: phorgo

Description:
The extension encodes the rendered HTML to base64 to avoid escape problems with the parser and decodes it after the parser's work is done. But if someone adds encoded HTML to the page's wikitext, it will decoded, too. This allows anyone to inject all kinds of scripts. For example, adding
ENCODED_CONTENT PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
to the wikitext will execute the alert() javascript function with 'Hello, my friend!'.

My idea is to add a random number after ENCODED_CONTENT to make the encoded strings each time different. This could look like this:
ENCODED_CONTENT RAND=123456789 PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
And only if the correct number is matched by the regular expression, the encoded string should be decoded.


Version: unspecified
Severity: major

Details

Reference
bz39883

Event Timeline

bzimport raised the priority of this task from to High.
bzimport set Reference to bz39883.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 1 2012, 12:45 PM

Harald - thanks for the excellent diagnosis and suggested fix. I just checked in a fix to this security hole based heavily on your suggestion. As far as I know, the issue is now solved.

Yaron: Commit ID / URL very welcome. Thanks!