Ticket #445 (closed defect: fixed)

Opened 8 months ago

Last modified 8 months ago

XSS vulnerability when an error is encountered in development mode

Reported by: cvonklei..@gmail.com Assigned to:
Priority: major Milestone: 0.5.2
Component: Merb Keywords:
Cc:

Description

When running Merb in development mode, it's possible to inject HTML into the page. Consider this code which calls a method on a string:

` "asfd".foo `

This causes Merb to show that fancy "Internal server error" page (which looks really nice and is useful, BTW!), but it doesn't escape the error message. So I can supply nasty input data to the form that submits to the page with the error. Then this gets called:

` "<script>alert('hi')</script>".foo `

Since the "Internal server error" page doesn't escape the HTML, I get a nice little JS popup.

I ran into this when I had a string.no_bad_words method in the test app I'm using to learn Merb. When I changed the method name to string.replace_bad_words, I forgot to update my view code and got the error. I found that I could add any text to the textarea in my submitting page to have it included as raw HTML.

Of course, this vulnerability doesn't happen unless you're in development mode, which shouldn't be the case in production apps, obviously.

Attachments

fix.diff (116 bytes) - added by cvonklei..@gmail.com on 01/12/08 14:48:11.
Diff that fixes merb-0.5.1/app_generators/merb/templates/app/views/exceptions/internal_server_error.html.erb

Change History

01/12/08 14:48:11 changed by cvonklei..@gmail.com

  • attachment fix.diff added.

Diff that fixes merb-0.5.1/app_generators/merb/templates/app/views/exceptions/internal_server_error.html.erb

01/12/08 14:50:26 changed by cvonklei..@gmail.com

The offending text in the "Internal server error" page is:

undefined method `no_bad_words' for "your_xss_attack_here":String

01/14/08 09:38:39 changed by iv..@gweezlebur.com

  • status changed from new to closed.
  • resolution set to fixed.

(In [1300]) HTML escape error string (Closes #445) Thanks cvonkleist