← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #27556

[Bug 1472439] [NEW] XSS in "add to watchlist" link on artefact detail screen

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Private security bug reported:

On artefact detail screens, when we you click on the "add to watchlist"
link, we use AJAX to update the link to read "remove from watchlist".
But, we are not properly escaping the page title in that AJAX, which
makes it possible to execute Javascript that has been placed in the page
title.

To replicate:

1. Create a portfolio Page
2. Give the page this title:

"><img src=0 onerror=alert(location)>

3. Put an image block in the page.
4. View the page in display mode.
5. Click on the link to view the artefact detail screen for the image
6. At the bottom of the artefact detail screen, click on the link that reads "Add page ""><img src=0 onerror=alert(location)>" to watchlist" or "Remove page ""><img src=0 onerror=alert(location)>" to watchlist"

Expected result: The page should be added or removed from your
watchlist, and the link title should show the HTML-escaped version of
the page title.

Actual result: The page is added or removed from your watchlist, but the
link title is not HTML-escaped and Javascript "alert(location)"
executes.

** Affects: mahara
     Importance: Critical
     Assignee: Aaron Wells (u-aaronw)
         Status: In Progress

** Affects: mahara/1.10
     Importance: Critical
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed

** Affects: mahara/1.8
     Importance: Critical
     Assignee: Aaron Wells (u-aaronw)
         Status: Won't Fix

** Affects: mahara/1.9
     Importance: Critical
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed

** Affects: mahara/15.04
     Importance: Critical
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed

** Affects: mahara/15.10
     Importance: Critical
     Assignee: Aaron Wells (u-aaronw)
         Status: In Progress


** Tags: regression watchlist

** Information type changed from Public to Private Security

** Changed in: mahara
       Status: New => In Progress

** Also affects: mahara/15.04
   Importance: Undecided
       Status: New

** Also affects: mahara/15.10
   Importance: Undecided
       Status: In Progress

** Also affects: mahara/1.8
   Importance: Undecided
       Status: New

** Also affects: mahara/1.9
   Importance: Undecided
       Status: New

** Also affects: mahara/1.10
   Importance: Undecided
       Status: New

** Changed in: mahara/1.8
       Status: New => Won't Fix

** Changed in: mahara/1.10
       Status: New => Confirmed

** Changed in: mahara/1.9
       Status: New => Confirmed

** Changed in: mahara/15.04
       Status: New => Confirmed

** Changed in: mahara/1.10
   Importance: Undecided => Critical

** Changed in: mahara/1.8
   Importance: Undecided => Critical

** Changed in: mahara/1.9
   Importance: Undecided => Critical

** Changed in: mahara/15.04
   Importance: Undecided => Critical

** Changed in: mahara/15.10
   Importance: Undecided => Critical

** Changed in: mahara/1.10
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara/1.8
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara/1.9
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara/15.04
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara/15.10
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara/15.10
    Milestone: None => 15.10.0

** Changed in: mahara/15.04
    Milestone: None => 15.04.2

** Changed in: mahara/1.9
    Milestone: None => 1.9.7

** Changed in: mahara/1.10
    Milestone: None => 1.10.5

** Tags added: regression watchlist

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1472439

Title:
  XSS in "add to watchlist" link on artefact detail screen

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 1.8 series:
  Won't Fix
Status in Mahara 1.9 series:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  In Progress

Bug description:
  On artefact detail screens, when we you click on the "add to
  watchlist" link, we use AJAX to update the link to read "remove from
  watchlist". But, we are not properly escaping the page title in that
  AJAX, which makes it possible to execute Javascript that has been
  placed in the page title.

  To replicate:

  1. Create a portfolio Page
  2. Give the page this title:

  "><img src=0 onerror=alert(location)>

  3. Put an image block in the page.
  4. View the page in display mode.
  5. Click on the link to view the artefact detail screen for the image
  6. At the bottom of the artefact detail screen, click on the link that reads "Add page ""><img src=0 onerror=alert(location)>" to watchlist" or "Remove page ""><img src=0 onerror=alert(location)>" to watchlist"

  Expected result: The page should be added or removed from your
  watchlist, and the link title should show the HTML-escaped version of
  the page title.

  Actual result: The page is added or removed from your watchlist, but
  the link title is not HTML-escaped and Javascript "alert(location)"
  executes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next