plainblack.com
Username Password
search
Bookmark and Share
View All Tickets
Security Update: Cross-Site Scripting Vulnerability  (#2914)
Issue

A vulnerability has been discovered in WebGUI that could allow an attacker to inject arbitrary HTML into pages, causing undesired operation. The vulnerability is that it is possible for a user doing anonymous registration to create a user name containing arbitrary HTML, which is then used to create Collaboration System posts (or other assets) which will display the injected HTML. It can also cause problems with the Admin Console accordian not displaying, due to a version tag being created with the offending user name.

Attached is a patch to apply to WebGUI version 7.0 or later that will stop users from creating a user name with HTML or JavaScript in them. To apply the patch:

  • Save the attached file to your WebGUI directory
  • Open a terminal
  • Type: cd /your/webgui/directory
  • Type: patch -b -p0 < xss-patch.txt
  • Restart WebGUI

If you do not feel comfortable doing the above actions, alter the  'lib/WebGUI/Operation/User.pm' file as follows:

  1. Around line 430, before the line beginning if (($existingUserId eq $postedUserId || ($postedUserId eq "new" &&, insert the following lines:
    • my $postedUsername = $session->form->process("username");
    • $postedUsername = WebGUI::HTML::filter($postedUsername, "all");
  2. Around line 430, replace the text $session->form->process("username") with
    • $postedUsername
  3. Around line 435, repliace the text $session->form->process("username") with
    • $postedUsername
  4. Around line 461, remove the line beginning with my $username = $session->form->process("username");
  5. Around line 462, replace the line beginning with $error = '<ul>' . sprintf($i18n->get(77) with
    • $error = '<ul>' . sprintf($i18n->get(77), $postedUsername, $postedUsername, $postedUsername,  $session->datetime->epochToHuman($session->datetime->time(),"%y")).'</ul>';
Solution Summary
Comments
JT
0
1/17/2007 4:17 pm
fixed in 7.3.5
Details
Ticket Status Closed  
Rating0.0 
Submitted ByDBell 
Date Submitted2007-01-16 
Assigned To unassigned  
Date Assigned2014-10-22 
Assigned By 
Severity Minor (annoying, but not harmful)  
What's the bug in?  
WebGUI / WRE Version 7.3.4 and previous  
URLbugs/tracker/security-update-cross-site-scripting-vulnerability
Keywords
Related Files
Ticket History
© 2014 Plain Black Corporation | All Rights Reserved