PITS /

01260: Vulnerability to relative links

Summary: Vulnerability to relative links

Created: 2011-07-18 10:01

Status: Closed -- fixed for 2.2.28

Category: Bug

From: Michael Engelke

Assigned:

Priority: 3

Version: 2.2.27

OS: Win32/Apache 2.2.18 PHP 5.2.17

Description:
I've discovered vulnerabilities, where one can sit without limitation any link. Normally, when activated UrlApprove not possible to put new unknown links. But with the help of the Path:, you can bypass the lock:

* [[http://www.evil.com]]
* [[(Path:)http://www.evil.com]]

But not enough, you can also link to any protocol:

* [[Path:skype:BigBadBrain?call|Call BigBadBrain]]
* [[Path:javascript:alert%28%22Hello%20Script%22%29|JavaScript-Uri]]
* [[Path:data:text/html,<h1>Hello%20World!</h1><script>alert%28%22Hello%20Script!%22%29</script>|Data-Uri]]
* [[Path:javascript:document.getElementsByTagName%28%22body%22%29%5b0%5d.setAttribute%28%22text%22,%22red%22%29|Set Text-Color to red]]

Since Path: originally designed only for relative links, one should check whether the links with a start "." or a start "/":

* [[Path:./]], [[Path:../]] (Relative)
* [[Path:/pmwiki/pub/skins/pmwiki/pmwiki-32.gif]] (Absolute)

Path:./, Path:../ (Relative)
Path:/pmwiki/pub/skins/pmwiki/pmwiki-32.gif (Absolute)

</Babelfish>

<German>

Schwachstelle in relativen Links

Ich habe Schwachstelle entdeckt, wo man ohne Einschränkungen beliebige Links setzen kann. Normalerweise ist bei aktivierten UrlApprove nicht möglich neue unbekannte links zu setzen. Aber mit Hilfe von Path:, kann man die sperren umgehen:

* [[http://www.evil.com]]
* [[(Path:)http://www.evil.com]]

Damit nicht genug, man kann auch auf beliebige Protokolle verlinken:

* [[Path:skype:BigBadBrain?call|Call BigBadBrain]]
* [[Path:javascript:alert%28%22Hello%20Script%22%29|JavaScript-Uri]]
* [[Path:data:text/html,<h1>Hello%20World!</h1><script>alert%28%22Hello%20Script!%22%29</script>|Data-Uri]]
* [[Path:javascript:document.getElementsByTagName%28%22body%22%29%5b0%5d.setAttribute%28%22text%22,%22red%22%29|Set Text-Color to red]]

Da Path: eigentlich nur für relative Links gedacht ist, sollte man Prüfen, ob die Links mit einen "." oder einen "/" beginnen:

* [[Path:./]], [[Path:../]] (Relative)
* [[Path:/pmwiki/pub/skins/pmwiki/pmwiki-32.gif]] (Absolute)

Path:./, Path:../ (Relative)
Path:/pmwiki/pub/skins/pmwiki/pmwiki-32.gif (Absolute)

</German>

This bug was fixed for version 2.2.28 (if the link starts with "protocol:", the column ":" will be urlencoded to "%3A"). Thanks and keep up the good work! --Petko July 20, 2011, at 04:15 PM