-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross site scripting vulnerability #2336
Comments
I should note that this does not affect the internal |
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
The session `flash` method is similar to the `session` method added previously, and is a method of the WeBWorK::Authen object attached to the controller. It uses the `flash` method of `Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is "session_cookie" and imitates that with the database session otherwise. This method saves data to the session that will persist only for the next request. This is then used to save `status_messages` when redirects occur. This fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer used. We need to make sure that we never again use a URL parameter to pass HTML.
I believe this was fully addressed by #2337. |
Yes it was. Thanks for closing this. |
This was reported in https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4295 (4 years ago), and I don't know why an issue was not made at that time. The issue is with how we use the
status_message
URL parameter to pass html when redirects occur. An example of this in action was given in that forum post. Here is a simpler example that work now:https://your.server.domain/webwork2/courseID?status_message=<script>console.log('hello')</script>
The
console.log
does get executed.The approach of passing HTML in a URL parameter, and then injecting that into the DOM without begin properly sanitized is a clear vulnerability. There is a note in the forum post about using HTML::Scrubber to sanitize input, but I do not believe this URL parameter has ever been put through any such scrutiny. Furthermore, I don't think that even HTML::Scrubber would catch the instance noted in that post. That is (modified a bit):
https://your.server.com/webwork2/courseID?status_message=<audio%20src=x%20onerror=alert('hello')>
The alert in that is executed also. HTML::Scrubber might catch the first example with a
script
tag, but wouldn't catch theonerror
attribute.The good news is that with #2332 there is a safe mechanism that could be implemented to pass such messages securely via the session without using a URL parameter.
I am noting this issue mainly for myself to work on.
The text was updated successfully, but these errors were encountered: