Forum OpenACS Development: Re: XSS / Reflection with return_url

Collapse
Posted by Frank Bergmann on
I've just seen this "localurl" filter from Gustaf apparently:

https://openacs.org/api-doc/content-page-view?source_p=1&path=/packages/acs-admin/www/apm/version-reload.tcl

Cheers
Frank

Collapse
Posted by Brian Fenton on
That's this proc: https://openacs.org/api-doc/proc-view?proc=ad_page_contract_filter_proc_localurl&source_p=1

It seems to check if the URL is external. I don't see any script checks there.

Collapse
Posted by Gustaf Neumann on
This script would also be able to perform checks if every user_id has an user_id:integer data-type and add this in case of necessity

Frank, this happened a few years ago. if you find any any case of not-sufficiently checked input parameters (including all kind of ids, Booleams, returnurls, ...) in OpenACS 5.10, please let us know by writing a issue tracker entry.

See here, how returnurl should be protected in page contracts:
https://openacs.org/api-doc/content-page-view?path=packages/acs-admin/www/apm/version-reload.tcl&version_id=5443646&source_p=1

All ~100 packages in oacs-5-10 are checked frequently by us with acunetix. It is also recommended to run OpenACS 5.10 with CSP and the auto-generated security rules enabled. Also this was addressed in all packages in oacs-5-10, but will probably require some work in PO.

Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)

Collapse
Posted by Gustaf Neumann on
CSP handles js URLS. When you try it, you will see:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Collapse
Posted by Frank Bergmann on
Thanks a lot!

I believe we'll need to quickly relase ]po[ V5.1 with OpenACS 5.10...

Cheers
Frank