Forum OpenACS Q&A: Re: Strange cross-caching of users

Collapse
Posted by Dirk Gomez on

For example it's vulnerable to cross-site scripting attacks. (see here: https://openacs.org/forums/message-view?message_id=32835)

And you can still muck around with prefetched acs_object ids on -1 forms.

Or have these two gaping holes been closed?

Collapse
Posted by Jeff Davis on
Dirk, both still exist. The object id manipulation is reasonably easy to fix by signing the id but the cross site scripting one is a big job. If I had to guess a time to fix it all I would say probably 5 weeks of full time work (based on there being 332 -2.tcl files to check and on how long it took to do the noquote stuff originally).

To date no one has taken it upon themselves to fix it. The noquote stuff is a start as is sweeping through and signing all the object ids (both of which simply mitigate but do not remove the problem).

ad_form signs keys by default but not that many other places use signed variables (in fact only download seems to use it and then only for spam and export of data). We could sign hidden variables by default in the templated form stuff system but I think that would break some pages that do javascript manipulation of hidden vars. Also, a lot of the most sensitive pages don't use the form api.