NetTalk Central

Author Topic: Potential vulnerability  (Read 3634 times)

LyGilCo

  • Newbie
  • *
  • Posts: 17
    • View Profile
    • Email
Potential vulnerability
« on: August 04, 2008, 03:27:47 AM »
Hi everyone,
                  I have just had a message from a website user regarding a vulnerability with entered data. I am no expert on web security but what he says seems to make sense.

Excerpt from email:

I'd love to support the project and I have a couple of ideas for hardening the website. The picture attached to this email shows a simple js alert box popping up after I've submited a project with parameter Pro_Description equal to <script>alert(1)</script> This is a simple vuln on your website I saw there... I find the fact of data not being filtered when registering unsafe.

End excerpt

So as I see it - if someone enters <script> .. code .. </script>, then when someone views the page - the code is passed to their browser and executes.

The Webserver needs to filter out these statements (or do I need to do this manually - Yuk)

Cheers

Murray

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Potential vulnerability
« Reply #1 on: August 05, 2008, 12:22:40 AM »
Hi Murray,

This technique goes by the rather fancy name of "HTML Injection".

By default NetTalk "encodes" form fields which the user enters, so that you can _see_ what they entered, but it doesn't _run_ what they entered.
In other words, by default, NetTalk is secure.

However, if you tick on the option "allow xHTML" for an entry field (and _specifically_ if you're not using the WYSIWYG HTML editor on the field) then NetTalk does not encode what the user enters.

Obviously if you want the user to add _some_ HTML, but not "bad" HTML, then you need to parse what they enter, and selectively remove stuff.

Cheers
Bruce