I've just been adding uComment to a site, and I've spotted a fairly major XSS vulnerability. Neither the back office dashboard, nor the comment list on the front end escape the stuff the user entered, making it very easy to perform an XSSinjection attack on a site using uComment. To replicate, type: <script>alert('oooops!!!')</script> in the comment field and either reload the page, or look at the moderation panel.......
Not a hard one to fix, just make sure you escape ANYTHING that the user entered.
I just discovered this thread completely by accident. Thanks for pointing out the vulnerability Tim!
Wow you reported this over a year ago and the vulnerability is still there. If they won't fix it in the package I thins we should at least be notified on the project page that there is a XSS vulnerability so we can deal with it before going live.
Still there? I'm almost amazed. Wow. Things like this, once found (and if not fixed) should definitely be obviously labeled on the tin - the packages section of the site should even just allow admins to put a mark against it with notification, it's exposed by their site, after all. It could even be tied in with related forum posted (if there were any real way to relate the nature of a posted item.)
Fairly Major XSS Bug
I've just been adding uComment to a site, and I've spotted a fairly major XSS vulnerability. Neither the back office dashboard, nor the comment list on the front end escape the stuff the user entered, making it very easy to perform an XSSinjection attack on a site using uComment. To replicate, type: <script>alert('oooops!!!')</script> in the comment field and either reload the page, or look at the moderation panel.......
Not a hard one to fix, just make sure you escape ANYTHING that the user entered.
If you want to fix it quickly, here's how:
Open the XSLT file for ucomment comment, list, and find this line:
<xsl:value-of select="umbraco.library:ReplaceLineBreaks(./message)" disable-output-escaping="yes"/>
Change it to:
<xsl:value-of select="umbraco.library:ReplaceLineBreaks(umbraco.library:HtmlEncode(./message))" disable-output-escaping="yes"/>
And that will fix the issue on the front end (all the other fields are escaped correctly).
To fix the back office panel, open the user control in a text editor, and change the main block to:
<div class="comment-data">
<p class="comment-author">
<div class="comment-gravatar">
<img src='http://www.gravatar.com/avatar/<%# umbraco.library.md5(Eval("email").ToString()) %>?s=32' width="32" height="32" alt="avatar" />
</div>
<strong><%# Server.HtmlEncode(Eval("name").ToString()) %></strong>
<br/>
<a href='<%# Server.HtmlEncode(Eval("website").ToString()) %>' target='_blank'><%# Server.HtmlEncode(Eval("website").ToString()) %></a> | <a href='mailto:<%# Server.HtmlEncode(Eval("email").ToString()) %>'><%# Server.HtmlEncode(Eval("email").ToString()) %></a>
</p>
<p>
<%# Server.HtmlEncode(Eval("comment").ToString()).Replace("\n","<br/>") %>
</p>
<p>
On <%# GetPageDetails(Eval("nodeid")) %> , <%# Eval("created") %>
</p>
</div>
Hope that helps!
:)
I just discovered this thread completely by accident. Thanks for pointing out the vulnerability Tim!
Wow you reported this over a year ago and the vulnerability is still there.
If they won't fix it in the package I thins we should at least be notified on the project page that there is a XSS vulnerability so we can deal with it before going live.
Still there? I'm almost amazed. Wow. Things like this, once found (and if not fixed) should definitely be obviously labeled on the tin - the packages section of the site should even just allow admins to put a mark against it with notification, it's exposed by their site, after all. It could even be tied in with related forum posted (if there were any real way to relate the nature of a posted item.)
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.