Forum OpenACS Development: XSS / Reflection with return

Posted by Frank Bergmann on 04/30/20 04:32 PM

Hi!

Try this one:

http://server.com/acs-admin/apm/version-reload?version_id=31184&return_url=%22onmouseover=%27alert(5)%27style=%22position:absolute;width:100%;height:100%;top

(The link works for me if I just copy-paste it into a browser, even though only the first part is marked by OpenACS here as a link...)

I get a beautiful "alert 5" on ]po[, running OpenACS 5.9.0.

This is actually a recurring pattern in ]po[ in TCL source code lines like this one:

<a href="$return_url">Return</a>

I'm not sure if this has been fixed in the last versions of OpenACS, @Brian Fenton told me he's doing a lot of security work recently...

My first thought: return_url is nearly always included in ad_page_contract. Can't we define a "nojavascript" data type, similar to "nohtml"? Then we could try to automatically add nojavascript to all return_urls in the system...

Cheers
Frank

2: Re: XSS / Reflection with return_url (response to 1)

Posted by Frank Bergmann on 04/30/20 06:33 PM

Somebody has TCL parser that can return the ad_page_contract from every .tcl file in the system? And better, this script would also be able to perform checks if every user_id has an user_id:integer data-type and add this in case of necessity?

Cheers
Frank

3: Re: XSS / Reflection with return_url (response to 2)

Posted by Maurizio Martignano on 05/01/20 07:22 AM

Dear Frank,
reducing the number of security/vulnerability issues in an web application is very important nowadays.
OWASP (https://owasp.org/) offers a set or recommendations and tools supporting this activity.
In particular the OWASP ZAP tool (https://owasp.org/www-project-zap/) is able to analyse a "life" web site/page to look for vulnerability issues. I'm currently using this tool to strengthen a web application of a customer of mine (written in Python/Django).
Yesterday I run the tool against "my" port of the latest version of ]project-open[. It was a "gentle" attack, but already it provided some few indications.
I will send the results to you and Gustaf.
I hope it helps,
Maurizio

4: Re: XSS / Reflection with return_url (response to 3)

Posted by Frank Bergmann on 05/01/20 10:16 AM

Funny, I also just installed ZAP last night.

I tried, but so far I wasn't able to reproduce the known return_url reflection issue in this thread. I'll continue to investigate.

Cheers
Frank

5: Re: XSS / Reflection with return_url (response to 4)

Posted by Maurizio Martignano on 05/01/20 10:51 AM

Well, in the report I sent you "return_url" appears 293 times.
So that report could provide you some additional information.

Hope it helps,
Maurizio

6: Re: XSS / Reflection with return_url (response to 2)

Posted by Brian Fenton on 05/01/20 11:54 AM

Hi Frank

a while back I wrote a simple ad_page_contract filter for checking URLs. You will still need to manually apply this to your ad_page_contracts e.g.

ad_page_contract {
} {
{return_url:return_url ""}
}

Here's the proc:

ad_page_contract_filter return_url { name value } {
Because return URLs can be tampered with, check that there is no Javascript embedded in the URL.
This could be used for any URL really, not just return URLs.
} {

if {[string match -nocase "*<script>*" $value] || [string match -nocase "*javascript*" $value]} {
set quoted_value [ns_quotehtml $value]
ad_complain "Invalid value $quoted_value for input $name"
return 0
}
return 1
}

7: Re: XSS / Reflection with return_url (response to 6)

Posted by Frank Bergmann on 05/01/20 12:20 PM

Hi Brian,

Time Herres from Daimler found the following exploit:

return_url=%27onmouseover=%27alert(5)%27style=%27position:absolute;width:100%;height:100%;top:0;left:0

This does not include "script" nor "javascript", so it would slip through your net, wouldn't it?

Did you try with this url?
http://server.com/acs-admin/apm/version-reload?version_id=31184&return_url=...

It's a good question: What characters are allowed for a return_url, and which ones are not... Can we exclude quote, double quote and angle brackets in general? What about character quoting?

Cheers
Frank

8: Re: XSS / Reflection with return_url (response to 7)

Posted by Brian Fenton on 05/01/20 12:38 PM

Hi Frank

yes, you're correct. My filter wouldn't catch that example, it's just a starting point for a general solution.

The more correct solution in the version-reload case is of course to use the OpenACS quoting feature before reflecting the inputted value e.g. [ns_quotehtml $return_url]

Brian

9: Re: XSS / Reflection with return_url (response to 8)

Posted by Frank Bergmann on 05/01/20 12:55 PM

I've just seen this "localurl" filter from Gustaf apparently:

https://openacs.org/api-doc/content-page-view?source_p=1&path=/packages/acs-admin/www/apm/version-reload.tcl

Cheers
Frank

10: Re: XSS / Reflection with return_url (response to 9)

Posted by Brian Fenton on 05/01/20 01:02 PM

That's this proc: https://openacs.org/api-doc/proc-view?proc=ad_page_contract_filter_proc_localurl&source_p=1

It seems to check if the URL is external. I don't see any script checks there.

11: Re: XSS / Reflection with return_url (response to 10)

Posted by Gustaf Neumann on 05/01/20 01:06 PM

This script would also be able to perform checks if every user_id has an user_id:integer data-type and add this in case of necessity

Frank, this happened a few years ago. if you find any any case of not-sufficiently checked input parameters (including all kind of ids, Booleams, returnurls, ...) in OpenACS 5.10, please let us know by writing a issue tracker entry.

See here, how returnurl should be protected in page contracts:
https://openacs.org/api-doc/content-page-view?path=packages/acs-admin/www/apm/version-reload.tcl&version_id=5443646&source_p=1

All ~100 packages in oacs-5-10 are checked frequently by us with acunetix. It is also recommended to run OpenACS 5.10 with CSP and the auto-generated security rules enabled. Also this was addressed in all packages in oacs-5-10, but will probably require some work in PO.

Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)

12: Re: XSS / Reflection with return_url (response to 10)

Posted by Gustaf Neumann on 05/01/20 01:08 PM

CSP handles js URLS. When you try it, you will see:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

13: Re: XSS / Reflection with return_url (response to 12)

Posted by Frank Bergmann on 05/01/20 01:14 PM

Thanks a lot!

I believe we'll need to quickly relase ]po[ V5.1 with OpenACS 5.10...

Cheers
Frank

Forum OpenACS Development: XSS / Reflection with return_url