Forum OpenACS Development: Re: XSS / Reflection with return_url

Posted by Brian Fenton on
That's this proc:

It seems to check if the URL is external. I don't see any script checks there.

Posted by Gustaf Neumann on
This script would also be able to perform checks if every user_id has an user_id:integer data-type and add this in case of necessity

Frank, this happened a few years ago. if you find any any case of not-sufficiently checked input parameters (including all kind of ids, Booleams, returnurls, ...) in OpenACS 5.10, please let us know by writing a issue tracker entry.

See here, how returnurl should be protected in page contracts:

All ~100 packages in oacs-5-10 are checked frequently by us with acunetix. It is also recommended to run OpenACS 5.10 with CSP and the auto-generated security rules enabled. Also this was addressed in all packages in oacs-5-10, but will probably require some work in PO.

Yes it is true, that OpenACS 5.9 had some potential security flaws (you can say this about every web application package released a few years ago)

Posted by Gustaf Neumann on
CSP handles js URLS. When you try it, you will see:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Posted by Frank Bergmann on
Thanks a lot!

I believe we'll need to quickly relase ]po[ V5.1 with OpenACS 5.10...