Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

The problem found on your site was most probably from the error message "page not found, do you want to create it new". There were versions of xowiki out there, which did not escape the string correctly. This was fixed in Sept 09, more than two years ago. What version of xowiki are you using?

I am currently on vacation high up in the Austrian alps. If there is more to do than upgrading and/or applying the patch i can still try to help.

http://fisheye.openacs.org/changelog/OpenACS/openacs-4/packages/xowiki/tcl/package-procs.tcl?cs=MAIN%3Agustafn%3A20090915082107

Hi Gustaf,

Thank you for your reply. My XoWiki version was a little bit old because it was the last stable one I know (0.106.3) in the branch oacs-5-4. I ǘe tried two things then:

1 - Apply just the patch you've provided, but I got the following error:


::xowiki::Includelet html_encode not found

2 - Download HEAD version of XoWiki and XoTcl. With this version my old forms for news do not seem to work. I'm getting the following error:


[10/Feb/2011:23:16:44][28298.3056819088][-default:0-] Error: GET http://teste.softwarepublico.gov.br/?
referred by ""
::cr_folder1327: unable to dispatch method 'set_resolve_context'
while executing
"$page set_resolve_context -package_id [my id] -parent_id $parent_id"
(procedure "get_page_from_item_ref" line 56)
::4345 ::xowiki::Package->get_page_from_item_ref
invoked from within
"$package_id get_page_from_item_ref -use_package_path true -use_site_wide_pages true -use_prototype_pages true -parent_id [my parent_id] $page_name"

It seems like I have problem with upgrades, and it's always very difficult to upgrade without knowing the right procedures. I've also realized that the last stable version for XoWiki is 0.106.3, still with oacs-5-4 branch. With all the differences, I don't know wich version to install to minimize the errors, considering my websites have a lot of form pages and forms, mostly for news.

Can you give me any direction on this? If I can't solve this problem until tomorrow, they will cut my website down. Even migrating outside Wiki is difficult, because I don't see any other viable option to store the content.

Try making a procedure that does the work

ad_proc encode_html {string} {
Escape HTML code
} {
return [string map [list & "&" < "<" > ">" \" """ ' "'"] $string]
}

Then modify the patch to call this encode_html procedure instead of the xowiki includelet one and see if that helps.

Hi Dave,

Thank your for your answer, but I guess it won't work. It has to be called inside a method for xowiki::Weblog class, in an XoTcl perspective.

By the way, more info. I've just realized XoWiki upgrade failed because the name of some switches changed in form pages:


lead to error: unknown argument '-entries_of' for method 'instantiate_forms': valid arguments {-default_lang {}} {-parent_id {}} -forms:required -package_id:required
Details: unknown argument '-entries_of' for method 'instantiate_forms': valid arguments {-default_lang {}} {-parent_id {}} -forms:required -package_id:required
while executing
"::xotcl::interpretNonpositionalArgs $args"

The old switch to form entries was entries_of and it was changed to forms. I guess I would have to manually change all the news page I have in my system before I can upgrade. Is it right?

Dear Eduardo,

guess the error message comes from the prototype page "news". Actually, the upgrade scripts are supposed to add new revision to the instantiated prototype pages. In case, something went wrong, you can reload the prototype page via ds/shell (assuming the instance is called /xowiki, and the problem comes from the "news" prototype page

::xowiki::Package initialize -url /xowiki
$package_id import-prototype-page news

Hope, this helps

Eduardo, here is a backport of the patch to 0.106.*
http://fisheye.openacs.org/changelog/OpenACS/?cs=oacs-5-4%3Agustafn%3A20110211081335

This patch should work for you (i could not test it here). However, in general i would certainly recommend to upgrade; check, if you got an error during running the upgrade scripts (for every upgrade, you see a message "-- upgrading to" in the error log). Check, if upgrade worked correctly. I might be able to connect to the internet later this day.