[pmwiki-devel] PITS/01030

[Petko Yotov]

On Thursday 26 June 2008 05:19:52 Greg Grimes wrote:
> Anytime a POST or GET request is sent and there is no sanitation of the
> input you have the potential for SQL Injection, XSS, File Injection(which
> is what I think you are thinking about), and various other attacks.  The
> way this vuln works is anytime the AuthForm is called it takes the URI and
> puts it in the <form> tag.  Also, contrary to what DaveG said, your PmWiki
> is vulnerable also. Firefox thankfully prevents this type of thing, but IE
> doesn't.  Open the following URL in IE and you will get a popup box with
> XSS in it.  Now, this is only a proof of concept and it is EASILY spotted,
> but a malicious person could easily make it look like a legitimate link for
> you to follow and then when you click on it, you actually get redirected to
> another site, or it could load malicious javascript that can do bad things.
>  Just use your imagination on the payload.  You could even change the
> alert("XSS") to window.print() and it'll bring up the browser's print
> dialogue.  Here is the link:
>
> http://galleries.accent.bg/Cookbook/Cookbook?action=edit&'><script>alert("X
>SS")</script>
Thanks Greg.

My authform seems to convert < and > to %3E and %3C, so the <script> tag is 
not displayed nor run. 

Now, I can imagine that a browser could execute this bit of javascript if it 
worked, I cannot imagine how my site is XSS vulnerable. YOU need to go to 
this (invalid) url, or to trick someone who trusts YOU to follow a bogus link 
to my site, but this does not affect neither the security/integrity of my 
website, nor any other of my visitors in any way.

But, if you can trick someone to click on your bogus link leading to my site, 
you can also trick him to click on such a link:
  ...href="javascript:alert('XSS');self.print();"...

which keeps me wondering why would an attacker use my site and what exactly 
can he get from this.

Thanks for your answers.
Petko