Updated: encoding failing in Guestbook when comment is made to orginal post (security breaking hack found, not satisfactory)

[mgaved]

Originally posted 10 Mar 2017 as https://github.com/mazi-project/guestbook/issues/3

UPDATE: Work-around found (but compromises security) 25/09/2018 UPDATE: this seems to happen after a comment is made to the original post. UPDATE: also happening via Android 6 phone UPDATE: not happening to James SPC - he doesn't have this issue. (Problem with this specific MAZIzone install? to be investigated)

MAZI v2.5.6, live since v2.5.3 or earlier: Entering an apostrophe into Guestbook results in ' being displayed. I suspect encoding is not being handled?

I am using a Win7 computer to access the MAZI guestbook and Chrome browser.

I've got a big public demo next week so it would be fantastic if it could be resolved, thanks!

[mgaved]

I've started testing which characters work and which fail:

Characters that fail: (space after the & inserted because this submission form translates them into the character): ' appears as & #x27; (unicode hex code) " appears as & quot; (HTML entity code) < appears as & lt; (HTML entity code)

appears as & gt; (HTML entity code)

Characters that are ok: ( ) : ; @ ! ? / , . « ö » ß é à â

I am not sure why some are being managed fine and others not, and why some should show its html entity, and one its hex code (UPDATE: I think it's characters being escape to prevent injection attacks).

I think in comments, the most frequently used characters will be ' (apostrophe) and " (quotation mark)

[mgaved]

Could it be something to do with escaping characters that might allow for injection attacks? I've found: mazi-board\src\node\node_modules\core-js\modules\core.string.escape-html.js

I've found the only reference to & #x27; in mazi-board\src\www\libs File: underscore-min.js

Here there's a line that includes var B={"&":"& amp;","<":"& lt;",">":"& gt;",'"':"& quot;","'":"& #x27;","`":"& #x60;"}, (I've added a space after the & so it still presents in this form). Perhaps the substitution is happening here?

[mgaved]

We have now experienced this issue on Mac OS, Win7, and Android 6, on different MAZI Raspberry Pis running v2.5.5.

However, we have discovered a work around

WARNING: this compromises security on the MAZIzone.

SSH to var/www/html/mazi-board/src/node/models/submission.js and var/www/html/mazi-board/src/node/models/comment.js

find the line in each file with Utils.escapePath(this,'text'); and comment out "//" at the beginning. Save and restart the Guestbook.

Apostrophes will no longer be reformatted.

I think what is happening is that the web form no longer checks for 'dangerous' characters ( > < ' " ) that can enable injection attacks and doesn't substitute them. You don't get the visible error with the substitution not working properly, but you do leave your MAZIzone open to this kind of attack: you have opened up a security hole.

Credit to Allan, plus David and Matteo of The Open University for working out this hack.