Forum OpenACS Q&A: Response to Bugtraq: cross site scripting
This only loosely falls under the umbrella of CSS, but it is an attack that sprung to mind while thinking about this problem -
- I register at the victim.com acs4 based site, and find out that my user_id is 9876
- I craft a popup ad that contains 2 frames - a big irritating flashing frame that says "MAKE MEGABUCKS" or whatever, and a 1-pixel tall frame at the bottom that loads "http://victim.com/permissions/grant-2?object_id=0&party_id=98 76&privilege=admin"
- I entice the victim.com site admin to visit a page containing this ad
- I take advantage of my new admin rights on victim.com
- If victim.com has some facility like the old portals module that allows admins to input executable TCL, I take advantage of my new admin rights on the machine that hosts victim.com
the point of the popup ad and frames is tht nobody looks at popups long enough before closing them to notice the 1-pixel tall bit of window that contains either an "unauthorised" error message or a "permissions updated on object 0" result
the lesson of CSS is that not only can't we trust input from users, but we can't trust that input from a user is actually from that user.
the only general solution to this attack I can see is to move the session and auth data from cookies into the URL, which would tend to suck - anybody have other ideas?