• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: WebObjects vulnerabilities?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WebObjects vulnerabilities?

  • Subject: Re: WebObjects vulnerabilities?
  • From: Ramsey Gurley <email@hidden>
  • Date: Tue, 12 Jul 2011 17:23:55 -0700
That's my main concern.  It is happening on every ERXRequest.  I'd rather not waste the cycles if it can be handled in one method on ERXWOForm.  Given the info I have now, I'd be inclined to change the boolean arg at line 251 on ERXWOForm and mark it fixed.  Are there any other examples related to this issue that you are aware of?

Ramsey

On Jul 12, 2011, at 5:05 PM, Simon wrote:

> nice one! yeah, that works. whacks in a new text field into your page
> and gives it focus :-)
>
> https://secure.kagi.com/cgi-bin/WebObjects/PQ?wosid=3D">(1) autofocus>
>
> the wosid parameter in a webobjects url is a gaping backdoor for cross
> site scripting (whether you are storing session id's in urls or not).
> the patch we are running in ERXRequest checks for a wosid parameter
> coming in on every request and makes sure it contains no dodgy looking
> characters. if it finds them, it throws the whole session key away.
> it's kinda like what mike suggested, but allows you to support
> non-cookie sessions.
>
> simon
>
> On 13 July 2011 00:01, Ramsey Gurley <email@hidden> wrote:
>> That's two votes for owasp it seems.... How does it handle new techniques introduced by html5?  Will it catch stuff like:
>>
>> <input onfocus=write(1) autofocus>
>>
>> Found a rather large list of these at html5sec.org
>>
>> Ramsey
>>
>> On Jul 12, 2011, at 5:05 AM, Josef Burzler wrote:
>>
>>> WO-Applications are indeed vulnerable to cross-site-scripting if end-users are allowed to submit HTML.
>>> An example would be an Online-HTML-editor which allows users to edit formatted text in their browsers.
>>>
>>> In order to remove unwanted and malicious code from the submitted HTML and avoid cross-site-Scripting issues one has to filter the submitted content on server side.
>>> For this task I have found AntiSamy to be a useful solution
>>>       https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
>>>
>>> Josef
>>>
>>>
>>> Am 12.07.2011 um 09:36 schrieb Simon:
>>>
>>>> i think core WO is still plagued with the wosid cross-scripting issue too. we patch it in ERXRequest - not sure if the patch ever made it into wonder though...
>>>>
>>>> simon
>>>>
>>>>
>>>> On 12 July 2011 02:43, Mike Schrag <email@hidden> wrote:
>>>> You have to be mindful of ever rendering any tainted strings ... Any string that came from user input should be considered a risk for cross site scripting, so that's any field editable by a user, or any query parameter, etc. If you append those strings to response or <WOString> render them, make sure to escape HTML or strip HTML.
>>>>
>>>> ms
>>>>
>>>> On Jul 11, 2011, at 9:41 PM, Mai Nguyen wrote:
>>>>
>>>>> Do you mean the issue of malicious HTML tags?
>>>>>
>>>>> I wonder what would be the best way to prevent those?
>>>>>
>>>>> thanks,
>>>>>
>>>>> mai
>>>>>
>>>>>
>>>>> On Jul 11, 2011, at 6:36 PM, George Domurot wrote:
>>>>>
>>>>>> If you output strings with escapeHTML=false, you could have an issue.
>>>>>> You may want to consider stripping all potential tags from strings prior to rendering, or at the time of entry.
>>>>>>
>>>>>> -G
>>>>>>
>>>>>> On Jul 11, 2011, at 6:01 PM, Mai Nguyen wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>> I have found some good information about WebObjects and security at the following wiki link:
>>>>>>>
>>>>>>> http://en.wikibooks.org/wiki/WebObjects/Web_Applications/Development/Authentication_and_Security
>>>>>>>
>>>>>>> However, there is no mention about SQL injections which seems to be an active subject lately. Is WebObjects pretty safe, as there is no need to generate SQL directly and access to the DB is going through the EOs normally?
>>>>>>> Are there any other loopholes that I am not aware of?
>>>>>>> About the following article:
>>>>>>> http://support.apple.com/kb/TA26730?viewlocale=en_US
>>>>>>> Would the normal WebObjects behavior be pretty safe if one does not allow the user to enter HTML tags? Does Project Wonder do something in this area?
>>>>>>>
>>>>>>> Many thanks for your advice,
>>>>>>>
>>>>>>> -mai _______________________________________________
>>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>>> Webobjects-dev mailing list      (email@hidden)
>>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>>>
>>>>>>> This email sent to email@hidden
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Webobjects-dev mailing list      (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>>  _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Webobjects-dev mailing list      (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>>
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Webobjects-dev mailing list      (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>
>>> --
>>> Dr. Josef Burzler
>>>
>>> Phone    +49-(0)941-69 84 84-37
>>> email@hidden
>>>
>>> ===================================
>>>
>>> SELBSTDENKER AG - No Vision Too Far
>>>
>>> Gesandtenstraße 10
>>> 93047 Regensburg
>>> Phone  +49-(0)941-69 84 84-0
>>> Fax       +49-(0)941-69 84 84-99
>>>
>>> email@hidden
>>> http://www.selbstdenker.ag
>>>
>>> Niederlassung: Regensburg
>>> Handelsregister:  Regensburg HRB 7860
>>> Vorstand/CEO:  Herr Stephan Fürnrohr
>>> Vors. des Aufsichtsrates/Chairman of the board:
>>> Herr Dipl. Betriebswirt (FH) Richard Sibinger
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Webobjects-dev mailing list      (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>>  _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list      (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: WebObjects vulnerabilities?
      • From: Chuck Hill <email@hidden>
References: 
 >WebObjects vulnerabilities? (From: Mai Nguyen <email@hidden>)
 >Re: WebObjects vulnerabilities? (From: George Domurot <email@hidden>)
 >Re: WebObjects vulnerabilities? (From: Mai Nguyen <email@hidden>)
 >Re: WebObjects vulnerabilities? (From: Mike Schrag <email@hidden>)
 >Re: WebObjects vulnerabilities? (From: Simon <email@hidden>)
 >Re: WebObjects vulnerabilities? (From: Josef Burzler <email@hidden>)
 >Re: WebObjects vulnerabilities? (From: Ramsey Gurley <email@hidden>)
 >Re: WebObjects vulnerabilities? (From: Simon <email@hidden>)

  • Prev by Date: Re: Re: Dynamic table with editable content
  • Next by Date: ERXResponseRewriter.addStylesheetResourceInHead(...)
  • Previous by thread: Re: WebObjects vulnerabilities?
  • Next by thread: Re: WebObjects vulnerabilities?
  • Index(es):
    • Date
    • Thread