|
[dokuwiki]
||
[Date Prev]
[03-2008 Date Index]
[Date Next]
||
[Thread Prev]
[03-2008 Thread Index]
[Thread Next]
[dokuwiki] Re: security issue in dailymotion plugin
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Wed, 12 Mar 2008 22:57:16 +0100
On Wed, 12 Mar 2008 22:29:26 +0100
Uwe Koloska <dokuwiki@xxxxxxxxx> wrote:
> Hello,
>
> Am Dienstag, 11. März 2008 schrieb Andreas Gohr:
> > Here is an example of a plugin page with a marked security problem:
> > http://wiki.splitbrain.org/plugin:dailymotion
>
> I am just a beginner with PHP and tried to find the XSS vulnerability
> here. Is it really XSS than can be used from outside without write
> access to the wiki page (by attaching some argument to the address)?
> Or is it something "only" a user of the wiki can utilise? If it is
> the latter, I think all (or most of the) plugins that embed some
> media files / player from other sites (like youtube, slideshare,
> etc.) are vulnerable, too.
It is only exploitable with write access to the wiki but this is still
bad.
You can write a plugin for embedding video sharing sites without XSS
vulnerabilities. You have to make sure only certain data can be entred
by the user which then is used to construct clean URLs and embed code.
Eg. for youtube I'd use a syntax like {{youtube>FVrXfgsMpdM}} - it
would only accept the video identifier and then construct the needed
embed code from it. This can of course be extended to inlcude
additional parameters. But you have to filter the input in the plugin
and never output unfiltered or unescaped user input.
Andi
--
http://www.splitbrain.org
|
|
