Bug #12051 for CGI-Uploader: Cross-site scripting bug in FriendsPhotos.pm

Tue Mar 29 08:38:29 2005 Guest - Ticket created

Subject:

Cross-site scripting bug in FriendsPhotos.pm

The FriendsPhotos.pm example application has a XSS bug due to passing the msg through the uri. This was discussed recently on the CGI::App list and one possible solution would be to use a code that selects the message to be displayed rather than displaying raw input from the url. Be safe, William

Tue Mar 29 09:38:01 2005 mark [...] summersault.com - Correspondence added

Date:	Tue, 29 Mar 2005 09:31:54 -0500
From:	Mark Stosberg <mark [...] summersault.com>
To:	Guest via RT <bug-CGI-Uploader [...] rt.cpan.org>
Subject:	Re: [cpan #12051] Cross-site scripting bug in FriendsPhotos.pm
RT-Send-Cc:

On Tue, Mar 29, 2005 at 08:38:29AM -0500, Guest via RT wrote: Show quoted text

> > The FriendsPhotos.pm example application has a XSS bug due to passing > the msg through the uri. This was discussed recently on the CGI::App > list and one possible solution would be to use a code that selects the > message to be displayed rather than displaying raw input from the url.

Thanks for the note, William. Would I be correct that there are two levels of solution here: 1. Simply escapeHTML() the msg when it comes in. It's possible someone could still adjust the page to look silly, but can't really alter the HTML or JavaScript in the page. If I don't care if the page can be made to look silly, this is enough. 2. Use the solution you recommend: Pass codes which can't be usefully altered. Mark

Sat Apr 02 10:42:54 2005 MARKSTOS [...] cpan.org - Taken

Sat Apr 02 10:43:03 2005 MARKSTOS [...] cpan.org - Status changed from 'new' to 'open'

Sat Apr 02 10:50:20 2005 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'