0x2620/pandora
2
1
Fork 1
Code Issues 1.3k Pull requests Releases Wiki Activity

Several vectors for JS injection #579

New issue
Closed
opened 2012-02-21 12:40:29 +00:00 by rlx · 5 comments
rlx commented 2012-02-21 12:40:29 +00:00
Owner
Copy link

JS injection via username: Greetings from user <script>alert('0wned!')</script> ...

JS injection via username: Greetings from user `<script>alert('0wned!')</script>` ...
rlx added the
general
 label 2012-02-21 12:40:29 +00:00
rlx added this to the 12.03 milestone 2012-02-21 12:40:29 +00:00
0x2620 was assigned by rlx 2012-02-21 12:40:29 +00:00
rlx added the
critical
defect
 labels 2012-02-21 12:40:29 +00:00
rlx commented 2012-02-21 12:47:19 +00:00
Author
Owner
Copy link

Strangely, this user does not show up in the users list.

But by adding annotations, the user can make alerts pop up.

Strangely, this user does not show up in the users list. But by adding annotations, the user can make alerts pop up.
rlx commented 2012-02-21 12:56:16 +00:00
Author
Owner
Copy link

List names (entered in folder) and list descriptions (entered in dialog) execute JS, too.

List names (entered in folder) and list descriptions (entered in dialog) execute JS, too.
rlx commented 2012-02-21 13:13:45 +00:00
Author
Owner
Copy link

In Manage Places/Events, if you enter as name or alternative name, the map/calendar will execute this as JS.

Saving seems to be fixed, so dialogs will go after reload.

In Manage Places/Events, if you enter <script>alert('JS injection')</script> as name or alternative name, the map/calendar will execute this as JS. Saving seems to be fixed, so dialogs will go after reload.
rlx changed title from JS injection via username to Several vectors for JS injection 2012-02-21 13:13:45 +00:00
rlx commented 2012-02-21 13:15:23 +00:00
Author
Owner
Copy link

Another one is:

pandora.api.addAnnotation({item: 'A', layer: 'descriptions', 'in': 23, out: '42', value: '<script>alert("description")</script>'}, function(r) { Ox.print(r.data); })

Another one is: ` pandora.api.addAnnotation({item: 'A', layer: 'descriptions', 'in': 23, out: '42', value: '<script>alert("description")</script>'}, function(r) { Ox.print(r.data); }) `
rlx commented 2012-02-21 14:15:12 +00:00
Author
Owner
Copy link

By whatever means we fix this, the goal should be that the surface of the fix, i.e. the amount of reasoning needed to verify it's correct, is as small as possible.

By whatever means we fix this, the goal should be that the surface of the fix, i.e. the amount of reasoning needed to verify it's correct, is as small as possible.
j added the
fixed
 label 2012-02-22 12:01:38 +00:00
j closed this issue 2012-02-22 12:01:38 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
stable
No results found.
Labels
Clear labels   
backend

   
critical

   
defect

   
duplicate

   
enhancement

   
fixed

   
frontend

   
general

   
invalid

   
major

   
minor

   
normal

   
oxjs

   
pandora_client

   
python-ox

   
task

   
trivial

   
wontfix

   
worksforme
No labels
backend
critical
defect
duplicate
enhancement
fixed
frontend
general
invalid
major
minor
normal
oxjs
pandora_client
python-ox
task
trivial
wontfix
worksforme
Milestone
Clear milestone
No items
No milestone
12.03
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
0x2620
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: 0x2620/pandora#579
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?