You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by richiebaby <ri...@logica.com> on 2008/07/29 12:56:52 UTC
Please tell me how to validate the search string that appears in
the URL
Hi,
I have been asked to add some validation to our Roller installation because
it is vulnerable to XSS (Cross Site Scripting) attacks.
The first place that I am looking is in the search on our home page weblog.
When you perform a search you can see that the search string is appended to
the URL, like this:
http://***/roller/frontpageblog/search?=text+to+search+for
Therefore it is also possible to create a search string that contains some
script like this:
http://***/roller/frontpageblog/search?q=<script>alert("XSS")<%2Fscript>
The above URL causes a pop up to be displayed.
On the search results page, I have seen that I can validate the search text
by capturing the variable '$model.term' within weblog.vm on the server
(roller\WEB-INF\velocity\weblog.vm).
For example, within the macro: showWeblogSearchAgainForm, I can take
$model.term and use $utils.replace to strip out any possible script.
However, this has no effect on the search string appended to the URL and so
the pop up is still being displayed.
Question: Could somebody please point me towards how I can monitor the
search URL's within Roller so that I can strip out any script?
Thank you
--
View this message in context: http://www.nabble.com/Please-tell-me-how-to-validate-the-search-string-that-appears-in-the-URL-tp18709716s12275p18709716.html
Sent from the Roller - Dev mailing list archive at Nabble.com.
Re: Please tell me how to validate the search string that appears
in the URL
Posted by Anil Gangolli <an...@busybuddha.org>.
That particular search XSS issue is fixed in trunk:
http://svn.apache.org/viewvc?rev=668737&view=rev
Applying the code fix from the revision referenced above is preferable
if you can.
If you need to fix this urgently without rebuilding java code, it is
also possible (but uglier) to hack/patch WEB-INF/velocity/weblog.vm
along the following lines as a means to address this.
Index: apps/weblogger/web/WEB-INF/velocity/weblog.vm
===================================================================
--- apps/weblogger/web/WEB-INF/velocity/weblog.vm (revision 662259)
+++ apps/weblogger/web/WEB-INF/velocity/weblog.vm Sun Jun 01 11:08:45
PDT 2008
@@ -730,11 +730,12 @@
*#
#macro(showWeblogSearchAgainForm $weblog)
<div id="searchAgain">
- $text.get( "macro.weblog.searchdictionary", [$model.term,
$model.term, $model.term] )
+
#set($searchFormTerm=$utils.escapeXML($utils.removeHTML($model.term)))
+ $text.get( "macro.weblog.searchdictionary", [$searchFormTerm,
$searchFormTerm, $searchFormTerm] )
$text.get( "macro.weblog.searchhits", [$model.hits])
<form method="get" action="$url.search" style="margin: 5px">
<input type="text" id="q" name="q" size="10"
- maxlength="255" value="$model.term"
+ maxlength="255" value="$searchFormTerm"
style="padding-left: 1px" /><br />
#set( $cats = $model.weblog.getWeblogCategories("nil") )
@@ -748,7 +749,7 @@
<input type="submit" value="$text.get(
"macro.weblog.searchagain" )" />
</form>
- $text.get( "macro.weblog.searchgoogle", [$model.term,
$url.absoluteSite, $url.site, ${website.handle}] )
+ $text.get( "macro.weblog.searchgoogle", [$searchFormTerm,
$url.absoluteSite, $url.site, ${website.handle}] )
</div>
#end
--a.
Note: I will be disconnected for the next several days and unable to
respond to followup.
Nick Lothian wrote:
> I can't help with XSS on the search page (we don't use it), but you may be interested in https://issues.apache.org/roller/browse/ROL-1727, which fixes some other XSS problems.
>
> Nick
>
> -----Original Message-----
> From: richiebaby [mailto:rich.johns@logica.com]
> Sent: Tuesday, 29 July 2008 8:27 PM
> To: dev@roller.apache.org
> Subject: Please tell me how to validate the search string that appears in the URL
>
>
> Hi,
>
> I have been asked to add some validation to our Roller installation because
> it is vulnerable to XSS (Cross Site Scripting) attacks.
>
> The first place that I am looking is in the search on our home page weblog.
>
> When you perform a search you can see that the search string is appended to
> the URL, like this:
> http://***/roller/frontpageblog/search?=text+to+search+for
>
> Therefore it is also possible to create a search string that contains some
> script like this:
> http://***/roller/frontpageblog/search?q=<script>alert("XSS")<%2Fscript>
>
> The above URL causes a pop up to be displayed.
>
> On the search results page, I have seen that I can validate the search text
> by capturing the variable '$model.term' within weblog.vm on the server
> (roller\WEB-INF\velocity\weblog.vm).
>
> For example, within the macro: showWeblogSearchAgainForm, I can take
> $model.term and use $utils.replace to strip out any possible script.
>
> However, this has no effect on the search string appended to the URL and so
> the pop up is still being displayed.
>
> Question: Could somebody please point me towards how I can monitor the
> search URL's within Roller so that I can strip out any script?
>
> Thank you
> --
> View this message in context: http://www.nabble.com/Please-tell-me-how-to-validate-the-search-string-that-appears-in-the-URL-tp18709716s12275p18709716.html
> Sent from the Roller - Dev mailing list archive at Nabble.com.
>
>
> Mind Over Matter - How Technology Matters
> Find out how modern lifestyles and technologies are influencing the human mind at education.au's seminar on Tuesday 26 August, Sydney.
> Find out more: www.educationau.edu.au
>
>
> IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
>
RE: Please tell me how to validate the search string that appears
in the URL
Posted by Nick Lothian <nl...@educationau.edu.au>.
I can't help with XSS on the search page (we don't use it), but you may be interested in https://issues.apache.org/roller/browse/ROL-1727, which fixes some other XSS problems.
Nick
-----Original Message-----
From: richiebaby [mailto:rich.johns@logica.com]
Sent: Tuesday, 29 July 2008 8:27 PM
To: dev@roller.apache.org
Subject: Please tell me how to validate the search string that appears in the URL
Hi,
I have been asked to add some validation to our Roller installation because
it is vulnerable to XSS (Cross Site Scripting) attacks.
The first place that I am looking is in the search on our home page weblog.
When you perform a search you can see that the search string is appended to
the URL, like this:
http://***/roller/frontpageblog/search?=text+to+search+for
Therefore it is also possible to create a search string that contains some
script like this:
http://***/roller/frontpageblog/search?q=<script>alert("XSS")<%2Fscript>
The above URL causes a pop up to be displayed.
On the search results page, I have seen that I can validate the search text
by capturing the variable '$model.term' within weblog.vm on the server
(roller\WEB-INF\velocity\weblog.vm).
For example, within the macro: showWeblogSearchAgainForm, I can take
$model.term and use $utils.replace to strip out any possible script.
However, this has no effect on the search string appended to the URL and so
the pop up is still being displayed.
Question: Could somebody please point me towards how I can monitor the
search URL's within Roller so that I can strip out any script?
Thank you
--
View this message in context: http://www.nabble.com/Please-tell-me-how-to-validate-the-search-string-that-appears-in-the-URL-tp18709716s12275p18709716.html
Sent from the Roller - Dev mailing list archive at Nabble.com.
Mind Over Matter - How Technology Matters
Find out how modern lifestyles and technologies are influencing the human mind at education.au's seminar on Tuesday 26 August, Sydney.
Find out more: www.educationau.edu.au
IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.