Forum OpenACS Q&A: Response to Bugtraq: cross site scripting

Posted by russ m on

This only loosely falls under the umbrella of CSS, but it is an attack that sprung to mind while thinking about this problem -

  • I register at the acs4 based site, and find out that my user_id is 9876
  • I craft a popup ad that contains 2 frames - a big irritating flashing frame that says "MAKE MEGABUCKS" or whatever, and a 1-pixel tall frame at the bottom that loads " 76&privilege=admin"
  • I entice the site admin to visit a page containing this ad
  • I take advantage of my new admin rights on
  • If has some facility like the old portals module that allows admins to input executable TCL, I take advantage of my new admin rights on the machine that hosts

the point of the popup ad and frames is tht nobody looks at popups long enough before closing them to notice the 1-pixel tall bit of window that contains either an "unauthorised" error message or a "permissions updated on object 0" result

the lesson of CSS is that not only can't we trust input from users, but we can't trust that input from a user is actually from that user.

the only general solution to this attack I can see is to move the session and auth data from cookies into the URL, which would tend to suck - anybody have other ideas?