XSS vulnerabity in iframe tag creation [security]

[GoogleCodeExporter]

What steps will reproduce the problem?

1. Add the following string to a URL that loads rsh.js:

   #foobar'onload='alert("XSS")

What is the expected output? What do you see instead?

Expected behaviour: nothing happens.

Actual behaviour: The javascript is run by the browser -- this is an XSS
vulnerability.

What version of the product are you using? On what operating system?

trunk with IE6

Please provide any additional information below.

This is a "DOM based XSS" (the fragment part of the URL is not coming from
the server-side, but from the browser). See
http://www.webappsec.org/projects/articles/071105.shtml for details.

Suggested patch is attached.

Original issue reported on code.google.com by dov.mu...@gmail.com on 16 Dec 2007 at 3:29

Attachments:

• rsh_xss_in_iframe.patch

[GoogleCodeExporter]

Bug confirmed - it is relatively easy to perform XSS exploits in the current 
version
(0.6) using IE6, & my fix was essentially the same as dov.murik's. This issue 
was
picked up by a 3rd-party security company testing our site, with no prior 
knowledge
of RSH, so it's probably not too hard for malicious users to figure out.

Original comment by perrett....@gmail.com on 9 Jul 2008 at 4:32