Extension talk:AddScript/Archive 1

XSS Vulnerability Description
Version 1.1 is vulnerable to XSS attacks. Consider the following: Hopefully the above will help the author correct this very serious problem. --Jimbojw 19:37, 29 March 2007 (UTC)
 * 1) Malicious user creates a page called "EvilScript" and fills it with evil JavaScript (perhaps adding another &lt;script&gt; tag to the DOM, etc).
 * 2) Malicious user creates a page containing the following: &lt;addscript src='../index.php?title=EvilScript&action=raw&ctype=text/javascript'/&gt;
 * Note: This could even be the same page (for example in a JS comment), so an admin going there for the first time to check it out/delete it could be hit immediately!
 * 1) This becomes the following in the document HEAD: &lt;script src="/wikiroot/jsscripts/../index.php?title=EvilScript...
 * Note: Modern browsers will intelligently strip '/../' along with the parent dir when found in fetched URLs.
 * 1) Innocent visitor visits the containing page, which loads EvilScript - user's account is compromised.


 * So, is the fix for this sort of vulnerability to remove the '/../' in the user provided string? Is this 'good enough' since any other URL must be part of the sysop controlled 'jsscripts' path? Jean-Lou Dupont 12:37, 30 March 2007 (UTC)