As promised, I started checking for XSS vulnerabilites in the
Blog4Umbraco package, and as a matter of fact, I found one. Or two,
depending on how you look at it.
Posting comments.
When posting comments, they are sent to Akismet for SPAM-checking,
and Akismet does an OK job, but it doesn't check for XSS, or HTML
or JavaScript. It checks for SPAM. Nothing more.
However, when I posted a script tag as a username, it marked
that as SPAM, so at least it does something :)
The message however, isn't checked, and neither is it encoded on
output. That leaves not only the front-end, but also the back-end
susceptible to attacks. I tried posting plain HTML, as well as a
script with a simple alert. Not only did it fire whenever i viewed
the page, but also in the Dashboard control used to moderate
comments.
So, straight to the fixes.
In the BlogPostListComments.xslt, make sure that output is HTML
encoded. Thus:
<xsl:value-of
select="umbraco.library:ReplaceLineBreaks(./message)"
disable-output-escaping="yes" />
should be
<xsl:value-of
select="umbraco.library:ReplaceLineBreaks(./message)"
disable-output-escaping="no" />
or even
<xsl:value-of
select="umbraco.library:ReplaceLineBreaks(./message)"
/>
or to make it somewhat pretty
<xsl:value-of select="./message" />
And in the Dashboard control
(/usercontrols/CommentModeration.ascx), instead of
Eval("comment").ToString().Replace("\n","<br/>")
put
Server.HtmlEncode(Eval("comment").ToString())
And that was how I found and fixed the XSS vulnerability in the
Blog4Umbraco package. If you want to know more, you could read my previous
post.
There's an upgrade package in the repo, and there will be an
update out on http://our.umbraco.org later today.