Description

There is an XSS issue in the handling of User Agent strings in stats/useragents.py

Steps to reproduce

1. Query the wiki with an user agent such as "'></script></textarea><script>alert("XSS")</script>;

2. Navigate to a wiki page with <<StatsChart(useragents)>> (such as EventStats/UserAgents) and you'll see an alert pop up

Example

Component selection

• MoinMoin/stats/useragents.py

Details

The user agent data is saved at around line 76 of useragents.py

   1             if ua:
   2                 try:
   3                     pos = ua.index(" (compatible; ")
   4                     ua = ua[pos:].split(';')[1].strip()
   5                 except ValueError:
   6                     ua = ua.split()[0]
   7                 #ua = ua.replace(';', '\n')                                                                                                               
   8                 data[ua] = data.get(ua, 0) + 1

Workaround

Discussion

Issue Reporter: "The obvious fix would be to use the wikiutil.escape function to ua before saving it to cache."

Comment: Yeah, that would fix it.

I prefer to have the raw data in the cache, though. And escape it only when it is used in html context.

Thanks for finding / reporting this one. If you want to test the fix: this wiki is running the current code.

-- ThomasWaldmann 2014-08-20 09:02:20

To the anon issue reporter: did you find this by accident or are you doing a systematic security review? Just asking because I want to do a new release soon. -- ThomasWaldmann 2014-08-20 10:12:09

We discovered this issue during an automated scan with IBM Security AppScan Standard 9.0.0.1 (part of a pre-deployment checklist). Rerunning the test, and doing some more targeted tests with the same tool, did not find any further issues.

-- JussiEronen 2014-08-27 08:29:04

OK, great. Thanks for reporting!

Plan

• Priority:
• Assigned to:

• Status: Issue was fixed by: http://hg.moinmo.in/moin/1.9/rev/7dd392e803fa

CategoryMoinMoinBugFixed