mahara-contributors team mailing list archive

Thread
Date

[Bug 1153423] Re: Stored XSS in TinyMCE editor

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1153423@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Apr 2013 06:01:21 -0000
Reply-to: Bug 1153423 <1153423@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

** Changed in: mahara/1.5
       Status: Fix Committed => Fix Released

** Changed in: mahara/1.6
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1153423

Title:
  Stored XSS in TinyMCE editor

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.5 series:
  Fix Released
Status in Mahara 1.6 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Committed

Bug description:
  Reported by two independent researchers in different locations.

  How to reproduce:
  - Go to a page with a TinyMCE editor (such as /artefact/internal/ -> Introduction)
  - Click the TinyMCE "HTML" button
  - Enter payload of something like "<img src=x onmouseover=alert(1)>"
  - Save page
  - Reload, hover over broken image, notice the alert

  The XSS is stored only for the editing part of the TinyMCE editor. I couldn't quickly find any location where
  it was not escaped in the view section (which is blocktype dependant, the above example would be the
  profileinfo blocktype from artefact/internal).

  The fix is to escape the value sent to tinymce in
  lib/form/elements/wysiwyg.php, patch forthcoming.

  The other location reported was in a new page, the "Page description"
  input. The same patch fixes this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1153423/+subscriptions