Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross site scripting vulnerability #2336

Closed
drgrice1 opened this issue Feb 23, 2024 · 3 comments
Closed

Cross site scripting vulnerability #2336

drgrice1 opened this issue Feb 23, 2024 · 3 comments

Comments

@drgrice1
Copy link
Member

This was reported in https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4295 (4 years ago), and I don't know why an issue was not made at that time. The issue is with how we use the status_message URL parameter to pass html when redirects occur. An example of this in action was given in that forum post. Here is a simpler example that work now:

https://your.server.domain/webwork2/courseID?status_message=<script>console.log('hello')</script>

The console.log does get executed.

The approach of passing HTML in a URL parameter, and then injecting that into the DOM without begin properly sanitized is a clear vulnerability. There is a note in the forum post about using HTML::Scrubber to sanitize input, but I do not believe this URL parameter has ever been put through any such scrutiny. Furthermore, I don't think that even HTML::Scrubber would catch the instance noted in that post. That is (modified a bit):

https://your.server.com/webwork2/courseID?status_message=<audio%20src=x%20onerror=alert('hello')>

The alert in that is executed also. HTML::Scrubber might catch the first example with a script tag, but wouldn't catch the onerror attribute.

The good news is that with #2332 there is a safe mechanism that could be implemented to pass such messages securely via the session without using a URL parameter.

I am noting this issue mainly for myself to work on.

@drgrice1
Copy link
Member Author

I should note that this does not affect the internal status_message usage that is not passed through a URL parameter. So addmessage and methods that go through that (addbadmessage and addgoodmessage) are not a problem when they only use internal content. It is passing the status_message URL parameter into those methods that is the problem.

drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 23, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 23, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 24, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 24, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 24, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 24, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 25, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 29, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 29, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Feb 29, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 2, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 5, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 6, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 7, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 14, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 16, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 17, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 17, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 18, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 18, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 20, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
drgrice1 added a commit to drgrice1/webwork2 that referenced this issue Mar 22, 2024
The session `flash` method is similar to the `session` method added
previously, and is a method of the WeBWorK::Authen object attached to
the controller.  It uses the `flash` method of
`Mojolicious::Plugin::DefaultHelpers` if `session_management_via` is
"session_cookie" and imitates that with the database session otherwise.
This method saves data to the session that will persist only for the
next request.

This is then used to save `status_messages` when redirects occur.  This
fixes issue openwebwork#2336, since the `status_message` URL parameter is no longer
used. We need to make sure that we never again use a URL parameter to
pass HTML.
@Alex-Jordan
Copy link
Contributor

I believe this was fully addressed by #2337.

@drgrice1
Copy link
Member Author

Yes it was. Thanks for closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants