search

justinpotts / pattr

Code for http://pattr.me
Other
2 stars 2 forks source link

Arbitrary JavaScript execution through autolink #29

Closed jeffw16 closed 9 years ago

jeffw16 commented 9 years ago

If one pastes in

https://www.mywikis.com"onclick="javascript:disconnect()"

into the chatbar, the client will disconnect on Chrome.

Well, let's just say this is also possible:

https://www.mywikis.com"onclick="javascript:alert('Pattr_got_hacked')"

screen shot 2015-11-24 at 9 14 36 pm

The potential of abuse is very great. I recommend an escalation in severity to critical.

This needs to be fixed immediately by setting cgi.escape's second parameter to True, which will look something like this but I'm not sure since my Python isn't the strongest:

message['data'] = escape ( message['data'], quotes=True )
justinpotts commented 9 years ago

Fixed in d9dc2b6

jeffw16 commented 9 years ago

thanksgif