Forum OpenACS Development: XSS / Reflection with return_url

Request notifications

Collapse
Posted by Frank Bergmann on
Hi!

Try this one:

http://server.com/acs-admin/apm/version-reload?version_id=31184&return_url=%22onmouseover=%27alert(5)%27style=%22position:absolute;width:100%;height:100%;top

(The link works for me if I just copy-paste it into a browser, even though only the first part is marked by OpenACS here as a link...)

I get a beautiful "alert 5" on ]po[, running OpenACS 5.9.0.

This is actually a recurring pattern in ]po[ in TCL source code lines like this one:

<a href="$return_url">Return</a>

I'm not sure if this has been fixed in the last versions of OpenACS, @Brian Fenton told me he's doing a lot of security work recently...

My first thought: return_url is nearly always included in ad_page_contract. Can't we define a "nojavascript" data type, similar to "nohtml"? Then we could try to automatically add nojavascript to all return_urls in the system...

Cheers
Frank

Collapse
Posted by Frank Bergmann on
Somebody has TCL parser that can return the ad_page_contract from every .tcl file in the system? And better, this script would also be able to perform checks if every user_id has an user_id:integer data-type and add this in case of necessity?

Cheers
Frank

Collapse
Posted by Maurizio Martignano on
Dear Frank,
reducing the number of security/vulnerability issues in an web application is very important nowadays.
OWASP (https://owasp.org/) offers a set or recommendations and tools supporting this activity.
In particular the OWASP ZAP tool (https://owasp.org/www-project-zap/) is able to analyse a "life" web site/page to look for vulnerability issues. I'm currently using this tool to strengthen a web application of a customer of mine (written in Python/Django).
Yesterday I run the tool against "my" port of the latest version of ]project-open[. It was a "gentle" attack, but already it provided some few indications.
I will send the results to you and Gustaf.
I hope it helps,
Maurizio
Collapse
Posted by Frank Bergmann on
Funny, I also just installed ZAP last night.

I tried, but so far I wasn't able to reproduce the known return_url reflection issue in this thread. I'll continue to investigate.

Cheers
Frank

Collapse
Posted by Maurizio Martignano on
Well, in the report I sent you "return_url" appears 293 times.
So that report could provide you some additional information.

Hope it helps,
Maurizio

Collapse
Posted by Brian Fenton on
Hi Frank

a while back I wrote a simple ad_page_contract filter for checking URLs. You will still need to manually apply this to your ad_page_contracts e.g.

ad_page_contract {
} {
{return_url:return_url ""}
}

Here's the proc:

ad_page_contract_filter return_url { name value } {
Because return URLs can be tampered with, check that there is no Javascript embedded in the URL.
This could be used for any URL really, not just return URLs.
} {

if {[string match -nocase "*<script>*" $value] || [string match -nocase "*javascript*" $value]} {
set quoted_value [ns_quotehtml $value]
ad_complain "Invalid value $quoted_value for input $name"
return 0
}
return 1
}

Collapse
Posted by Frank Bergmann on
Hi Brian,

Time Herres from Daimler found the following exploit:

return_url=%27onmouseover=%27alert(5)%27style=%27position:absolute;width:100%;height:100%;top:0;left:0

This does not include "script" nor "javascript", so it would slip through your net, wouldn't it?

Did you try with this url?
http://server.com/acs-admin/apm/version-reload?version_id=31184&return_url=...

It's a good question: What characters are allowed for a return_url, and which ones are not... Can we exclude quote, double quote and angle brackets in general? What about character quoting?

Cheers
Frank

Collapse
Posted by Brian Fenton on
Hi Frank

yes, you're correct. My filter wouldn't catch that example, it's just a starting point for a general solution.

The more correct solution in the version-reload case is of course to use the OpenACS quoting feature before reflecting the inputted value e.g. [ns_quotehtml $return_url]

Brian

Collapse
Posted by Frank Bergmann on
I've just seen this "localurl" filter from Gustaf apparently:

https://openacs.org/api-doc/content-page-view?source_p=1&path=/packages/acs-admin/www/apm/version-reload.tcl

Cheers
Frank

Collapse
Posted by Brian Fenton on
That's this proc: https://openacs.org/api-doc/proc-view?proc=ad_page_contract_filter_proc_localurl&source_p=1

It seems to check if the URL is external. I don't see any script checks there.

Collapse
Posted by Gustaf Neumann on
This script would also be able to perform checks if every user_id has an user_id:integer data-type and add this in case of necessity

Frank, this happened a few years ago. if you find any any case of not-sufficiently checked input parameters (including all kind of ids, Booleams, returnurls, ...) in OpenACS 5.10, please let us know by writing a issue tracker entry.

See here, how returnurl should be protected in page contracts:
https://openacs.org/api-doc/content-page-view?path=packages/acs-admin/www/apm/version-reload.tcl&version_id=5443646&source_p=1

All ~100 packages in oacs-5-10 are checked frequently by us with acunetix. It is also recommended to run OpenACS 5.10 with CSP and the auto-generated security rules enabled. Also this was addressed in all packages in oacs-5-10, but will probably require some work in PO.

Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)

Collapse
Posted by Gustaf Neumann on
CSP handles js URLS. When you try it, you will see:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Collapse
Posted by Frank Bergmann on
Thanks a lot!

I believe we'll need to quickly relase ]po[ V5.1 with OpenACS 5.10...

Cheers
Frank