lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <49594E2E.2010609@geckotribe.com>
Date: Mon, 29 Dec 2008 16:24:46 -0600
From: Antone Roundy <electriceel@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: MagpieRSS XSS 0day

admin@...tes0ft.com wrote:
> it is a simple fix: htmlentities() around the parsed CDATA.

The problem with this solution is that if the feed contains harmless 
HTML that's used for formatting, the HTML code becomes visible and the 
formatting is lost.

A better solution is to strip out HTML tags.  Either strip out all tags, 
or create a whitelist of tags that are allowed and strip out all others 
(if you want to keep any formatting, links, etc. provided by harmless 
HTML).  Of course, if you do that, you also need to strip out JavaScript 
handlers (onMouseOver, etc.) since they could also trigger something 
harmful.

If writing the code to do that sounds too complicated, just use a script 
that does it for you like CaRP (full disclosure: I'm the author of CaRP).

Antone Roundy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ