[Cosmo-dev] Bug 9930: XSS vulnerability (or, h4x0r5 will steal ur passwurds!)

Travis Vachon travis at osafoundation.org
Mon Jul 16 11:25:23 PDT 2007 

So that we can start keeping track of these things:

I found another XSS bug today, this time in the account browser. As  
Bobby pointed out here in the office, this could be particularly  
troublesome if an administrative user is the one browsing a  
collection. A user puts some malicious code in the title of an item,  
reports a problem that causes the administrator to browse that item  
(or the item's parent collection) and the user gets the  
administrator's password. This seems like it could be potentially  
nasty on Hub or other services that allow (essentially) anonymous  
signups, since there is no established relationship of trust between  
the user and administrator.

-Travis

On Jul 13, 2007, at 6:55 PM, Travis Vachon wrote:

> Hi folks
>
> During bug council today it was mentioned that we need to have a  
> list discussion about bug 9930. For anyone that hasn't seen it,  
> this is a pretty classic example of what wikipedia refers to as a  
> "type 2" XSS bug: http://en.wikipedia.org/wiki/XSS
>
> The long and short of this is that anyone can run arbitrary code in  
> the web ui by setting the title of an event to some sneaky html. To  
> try this out, log in to any recent version of Cosmo before r5077  
> for example, qacosmo as of right now) and enter "<img  
> src='doesntexist.jpg' onerror='alert(cosmo.util.auth.getPassword 
> ())'/>" as the title of an event. It would be an easy extension of  
> this to put the password in an event and save it to the server,  
> allowing anyone subscribed to the calendar you are looking at to  
> see your password.
>
> I've gone ahead and fixed this particular bug, and confirmed that  
> this is not a problem in the calendar ui or the collection  
> selector. That said, we should probably do a full review of the UI  
> and the UI code at some point to make sure there are no other  
> places that this could happen. From the discussion in IRC today it  
> sounds like the current feeling is that this review will be punted  
> to post preview, possibly 0.7.1 (the real, new 0.7.1 ;-) ) but we  
> felt it should be discussed on the list to make sure there is  
> community agreement. At least part of the reasoning behind this  
> feeling is that we expect our users to have some sort of trusting  
> relationship with anyone they share their calendars with.
>
> Personally, I would suggest that we consider any XSS bugs we find  
> blockers for the release, since they tend to be easy to fix (see  
> r5077) but wait until later to do a thorough code review. Perhaps  
> foolishly, I volunteer to grab any that we find.
>
> Let the debate (or lack thereof) begin!
>
> -Travis
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev

More information about the cosmo-dev mailing list