XSS in Roller

[Nick Lothian <nl...@educationau.edu.au>]

Is there a way to disable XSS attacks via the Roller blog entry form?

Apparently later versions of xinha (the HTML editor) have an option to help with this, but Roller appears to be using a much earlier version.

Has anyone looked at this?

Nick

IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.

Re: XSS in Roller

[Anil Gangolli <an...@busybuddha.org>]

I agree with some of Nick's points.  My take on these is:

There are some fairly strong assumptions being made about the 
usage/trust model that at a minimum should be clarified to 
administrators; they should know what they're allowing users to do when 
they install Roller.

We could make stronger enforcement of additional security policies 
default behaviors as long as the compatibility issues are 
well-documented in release notes, and provided that we include 
instructions about how to disable it and what the security implications 
of disabling it might be.  I wouldn't do this in a minor rev, but in a 
major rev it seems quite reasonable to me.

--a.

RE: XSS in Roller

[Nick Lothian <nl...@educationau.edu.au>]

Cool - although I'm not sure I agree about the compatibility problem. I'd suspect that many people don't realize that Roller is allowing this, and there is some chance that the first thing they know about it is when their site gets hacked.

I understand that this isn’t exactly a finance system or something, but none the less - security by default is normally a good approach.

If people really do want the ability to post javascript, then perhaps the project should look at integrating Google Caja support?

In the meantime, in our installation we are going to sanatize at output time using AntiSammy (http://www.owasp.org/index.php/AntiSamy). That's fairly easy for us to integrate, because we're displaying via SiteMesh decorator already. If someone wanted to commit the patch in https://issues.apache.org/roller/browse/ROL-1703 that would help, though!)

Nick

-----Original Message-----
From: Matt Raible [mailto:mraible@gmail.com]
Sent: Thursday, 1 May 2008 10:44 AM
To: dev@roller.apache.org
Subject: Re: XSS in Roller

I don't see a problem with adding support for it. However, for
backwards compatibilities sake, we'd likely have to turn it off by
default.

Matt

On Wed, Apr 30, 2008 at 6:10 PM, Nick Lothian
<nl...@educationau.edu.au> wrote:
> But entering Javascript is very different to entering HTML. I understand that stuff like http://jehiah.cz/archive/xss-stealing-cookies-101 probably won't be an issue for sites with very strong authentication requirements for blog ownership, but for most sites it will be a big problem.
>
>  For example, isn't it an issue that anyone can setup a blog on JRoller and hijack an administrator's session?
>
>  (The HTML - as opposed to javascript - in the title tag is a different and less serious problem.)
>
>  Nick
>
>
>
>  -----Original Message-----
>  From: Allen.Gilliland@Sun.COM [mailto:Allen.Gilliland@Sun.COM]
>  Sent: Thursday, 1 May 2008 9:03 AM
>  To: dev@roller.apache.org
>  Subject: Re: XSS in Roller
>
>  but that's a basic requirement of the tool, that authors be allowed to
>  enter html into their entries.  we call it a "blog" but at the end of
>  the day it's just a website.
>
>  if you want to prevent your users from entering in javascript because
>  you don't trust them then you should certainly do that, but it's very
>  dependent on the actually use case.
>
>  many of the very big and public free blog sites section off each blog
>  onto its own domain specifically to prevent this as well.  i.e.
>  myblog.wordpress.com.  this way even though you can enter in javascript
>  when authoring your blog, it's confined to your own domain, so you can't
>  use it to attack anything outside your own blog.  this would be another
>  option if you feel you need greater security.
>
>  -- Allen
>
>
>  Nick Lothian wrote:
>  > Entering something like <script>alert('test')</script> in both the title and content fields will mean the javascript will be executed when the page loads.
>  >
>  > Given than many Roller setups allow effectively anonymous people to setup a blog, that seems just as serious as HTML in comments.
>  >
>  > (Also, shouldn't all HTML be stripped from the title in all circumstances, too? At the moment <h1>title</h1> works)
>  >
>  > Nick
>  >
>  > -----Original Message-----
>  > From: Matt Raible [mailto:mraible@gmail.com]
>  > Sent: Wednesday, 30 April 2008 10:07 PM
>  > To: dev@roller.apache.org
>  > Subject: Re: XSS in Roller
>  >
>  > What do you mean? Do you have an example of an XSS attack on Roller? I
>  > believe it's only possible if you allow HTML in comments. And even
>  > that is sanitized to only allow certain elements.
>  >
>  > Matt
>  >
>  > On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian
>  > <nl...@educationau.edu.au> wrote:
>  >> Is there a way to disable XSS attacks via the Roller blog entry form?
>  >>
>  >>  Apparently later versions of xinha (the HTML editor) have an option to help with this, but Roller appears to be using a much earlier version.
>  >>
>  >>  Has anyone looked at this?
>  >>
>  >>  Nick
>  >>
>  >>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>  >>
>  >
>  >
>  >
>  > --
>  > http://raibledesigns.com
>  >
>  > IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>
>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>



--
http://raibledesigns.com

IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.

Re: XSS in Roller

[Matt Raible <mr...@gmail.com>]

I don't see a problem with adding support for it. However, for
backwards compatibilities sake, we'd likely have to turn it off by
default.

Matt

On Wed, Apr 30, 2008 at 6:10 PM, Nick Lothian
<nl...@educationau.edu.au> wrote:
> But entering Javascript is very different to entering HTML. I understand that stuff like http://jehiah.cz/archive/xss-stealing-cookies-101 probably won't be an issue for sites with very strong authentication requirements for blog ownership, but for most sites it will be a big problem.
>
>  For example, isn't it an issue that anyone can setup a blog on JRoller and hijack an administrator's session?
>
>  (The HTML - as opposed to javascript - in the title tag is a different and less serious problem.)
>
>  Nick
>
>
>
>  -----Original Message-----
>  From: Allen.Gilliland@Sun.COM [mailto:Allen.Gilliland@Sun.COM]
>  Sent: Thursday, 1 May 2008 9:03 AM
>  To: dev@roller.apache.org
>  Subject: Re: XSS in Roller
>
>  but that's a basic requirement of the tool, that authors be allowed to
>  enter html into their entries.  we call it a "blog" but at the end of
>  the day it's just a website.
>
>  if you want to prevent your users from entering in javascript because
>  you don't trust them then you should certainly do that, but it's very
>  dependent on the actually use case.
>
>  many of the very big and public free blog sites section off each blog
>  onto its own domain specifically to prevent this as well.  i.e.
>  myblog.wordpress.com.  this way even though you can enter in javascript
>  when authoring your blog, it's confined to your own domain, so you can't
>  use it to attack anything outside your own blog.  this would be another
>  option if you feel you need greater security.
>
>  -- Allen
>
>
>  Nick Lothian wrote:
>  > Entering something like <script>alert('test')</script> in both the title and content fields will mean the javascript will be executed when the page loads.
>  >
>  > Given than many Roller setups allow effectively anonymous people to setup a blog, that seems just as serious as HTML in comments.
>  >
>  > (Also, shouldn't all HTML be stripped from the title in all circumstances, too? At the moment <h1>title</h1> works)
>  >
>  > Nick
>  >
>  > -----Original Message-----
>  > From: Matt Raible [mailto:mraible@gmail.com]
>  > Sent: Wednesday, 30 April 2008 10:07 PM
>  > To: dev@roller.apache.org
>  > Subject: Re: XSS in Roller
>  >
>  > What do you mean? Do you have an example of an XSS attack on Roller? I
>  > believe it's only possible if you allow HTML in comments. And even
>  > that is sanitized to only allow certain elements.
>  >
>  > Matt
>  >
>  > On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian
>  > <nl...@educationau.edu.au> wrote:
>  >> Is there a way to disable XSS attacks via the Roller blog entry form?
>  >>
>  >>  Apparently later versions of xinha (the HTML editor) have an option to help with this, but Roller appears to be using a much earlier version.
>  >>
>  >>  Has anyone looked at this?
>  >>
>  >>  Nick
>  >>
>  >>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>  >>
>  >
>  >
>  >
>  > --
>  > http://raibledesigns.com
>  >
>  > IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>
>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>



-- 
http://raibledesigns.com

RE: XSS in Roller

[Nick Lothian <nl...@educationau.edu.au>]

But entering Javascript is very different to entering HTML. I understand that stuff like http://jehiah.cz/archive/xss-stealing-cookies-101 probably won't be an issue for sites with very strong authentication requirements for blog ownership, but for most sites it will be a big problem.

For example, isn't it an issue that anyone can setup a blog on JRoller and hijack an administrator's session?

(The HTML - as opposed to javascript - in the title tag is a different and less serious problem.)

Nick

-----Original Message-----
From: Allen.Gilliland@Sun.COM [mailto:Allen.Gilliland@Sun.COM]
Sent: Thursday, 1 May 2008 9:03 AM
To: dev@roller.apache.org
Subject: Re: XSS in Roller

but that's a basic requirement of the tool, that authors be allowed to
enter html into their entries.  we call it a "blog" but at the end of
the day it's just a website.

if you want to prevent your users from entering in javascript because
you don't trust them then you should certainly do that, but it's very
dependent on the actually use case.

many of the very big and public free blog sites section off each blog
onto its own domain specifically to prevent this as well.  i.e.
myblog.wordpress.com.  this way even though you can enter in javascript
when authoring your blog, it's confined to your own domain, so you can't
use it to attack anything outside your own blog.  this would be another
option if you feel you need greater security.

-- Allen


Nick Lothian wrote:
> Entering something like <script>alert('test')</script> in both the title and content fields will mean the javascript will be executed when the page loads.
>
> Given than many Roller setups allow effectively anonymous people to setup a blog, that seems just as serious as HTML in comments.
>
> (Also, shouldn't all HTML be stripped from the title in all circumstances, too? At the moment <h1>title</h1> works)
>
> Nick
>
> -----Original Message-----
> From: Matt Raible [mailto:mraible@gmail.com]
> Sent: Wednesday, 30 April 2008 10:07 PM
> To: dev@roller.apache.org
> Subject: Re: XSS in Roller
>
> What do you mean? Do you have an example of an XSS attack on Roller? I
> believe it's only possible if you allow HTML in comments. And even
> that is sanitized to only allow certain elements.
>
> Matt
>
> On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian
> <nl...@educationau.edu.au> wrote:
>> Is there a way to disable XSS attacks via the Roller blog entry form?
>>
>>  Apparently later versions of xinha (the HTML editor) have an option to help with this, but Roller appears to be using a much earlier version.
>>
>>  Has anyone looked at this?
>>
>>  Nick
>>
>>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>>
>
>
>
> --
> http://raibledesigns.com
>
> IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.

IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.

Re: XSS in Roller

[Allen Gilliland <Al...@Sun.COM>]

but that's a basic requirement of the tool, that authors be allowed to 
enter html into their entries.  we call it a "blog" but at the end of 
the day it's just a website.

if you want to prevent your users from entering in javascript because 
you don't trust them then you should certainly do that, but it's very 
dependent on the actually use case.

many of the very big and public free blog sites section off each blog 
onto its own domain specifically to prevent this as well.  i.e. 
myblog.wordpress.com.  this way even though you can enter in javascript 
when authoring your blog, it's confined to your own domain, so you can't 
use it to attack anything outside your own blog.  this would be another 
option if you feel you need greater security.

-- Allen


Nick Lothian wrote:
> Entering something like <script>alert('test')</script> in both the title and content fields will mean the javascript will be executed when the page loads.
> 
> Given than many Roller setups allow effectively anonymous people to setup a blog, that seems just as serious as HTML in comments.
> 
> (Also, shouldn't all HTML be stripped from the title in all circumstances, too? At the moment <h1>title</h1> works)
> 
> Nick
> 
> -----Original Message-----
> From: Matt Raible [mailto:mraible@gmail.com]
> Sent: Wednesday, 30 April 2008 10:07 PM
> To: dev@roller.apache.org
> Subject: Re: XSS in Roller
> 
> What do you mean? Do you have an example of an XSS attack on Roller? I
> believe it's only possible if you allow HTML in comments. And even
> that is sanitized to only allow certain elements.
> 
> Matt
> 
> On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian
> <nl...@educationau.edu.au> wrote:
>> Is there a way to disable XSS attacks via the Roller blog entry form?
>>
>>  Apparently later versions of xinha (the HTML editor) have an option to help with this, but Roller appears to be using a much earlier version.
>>
>>  Has anyone looked at this?
>>
>>  Nick
>>
>>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>>
> 
> 
> 
> --
> http://raibledesigns.com
> 
> IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.

RE: XSS in Roller

[Nick Lothian <nl...@educationau.edu.au>]

Entering something like <script>alert('test')</script> in both the title and content fields will mean the javascript will be executed when the page loads.

Given than many Roller setups allow effectively anonymous people to setup a blog, that seems just as serious as HTML in comments.

(Also, shouldn't all HTML be stripped from the title in all circumstances, too? At the moment <h1>title</h1> works)

Nick

-----Original Message-----
From: Matt Raible [mailto:mraible@gmail.com]
Sent: Wednesday, 30 April 2008 10:07 PM
To: dev@roller.apache.org
Subject: Re: XSS in Roller

What do you mean? Do you have an example of an XSS attack on Roller? I
believe it's only possible if you allow HTML in comments. And even
that is sanitized to only allow certain elements.

Matt

On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian
<nl...@educationau.edu.au> wrote:
> Is there a way to disable XSS attacks via the Roller blog entry form?
>
>  Apparently later versions of xinha (the HTML editor) have an option to help with this, but Roller appears to be using a much earlier version.
>
>  Has anyone looked at this?
>
>  Nick
>
>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>



--
http://raibledesigns.com

IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.

Re: XSS in Roller

[Matt Raible <mr...@gmail.com>]

What do you mean? Do you have an example of an XSS attack on Roller? I
believe it's only possible if you allow HTML in comments. And even
that is sanitized to only allow certain elements.

Matt

On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian
<nl...@educationau.edu.au> wrote:
> Is there a way to disable XSS attacks via the Roller blog entry form?
>
>  Apparently later versions of xinha (the HTML editor) have an option to help with this, but Roller appears to be using a much earlier version.
>
>  Has anyone looked at this?
>
>  Nick
>
>  IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>



-- 
http://raibledesigns.com