XSS in weboccam.cgi action parameter

[maxrp]

The action parameter is untrusted user input which is directly incorporated into the generated page leading to an XSS.

For example /weboccam.cgi?action=%3C%2Finput%3E%3Cscript%3Ealert(%22xss%22)%3B%3C%2Fscript%3E%3Cinput%3E

I have not conducted an exhaustive review of the related scripts for similar untrusted user input issues, however it appears there are likely to be more.

[kramer102]

I'm not sure the best email group to address, but I'm trying to get Occam setup at Providence. We're having trouble with older dependencies & python

2. I'm going to attempt to get a new igraph library installed.

Does anyone have an updated version? Maybe one that has transitioned to python 3? Ultimately, we need a library we can import and run in our compute clusters, but we're trying to get it running as a web app first. Has there been work on a python library?

Best,

Robert Kramer

On Fri, Oct 15, 2021 at 9:56 AM Max P @.***> wrote:

The action parameter is untrusted user input which is directly incorporated into the generated page leading to an XSS.

For example

/weboccam.cgi?action=%3C%2Finput%3E%3Cscript%3Ealert(%22xss%22)%3B%3C%2Fscript%3E%3Cinput%3E

I have not conducted an exhaustive review of the related scripts for similar untrusted user input issues, however it appears there are likely to be more.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/occam-ra/occam/issues/62, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC7CJOY7PZG63ZNA6WB2WILUHBMKZANCNFSM5GCL3OLA .

[BartMassey]

@kramer102 Would suggest posting a separate issue for this. I'm pretty sure stuff was rewritten into Python 3 a while back, but I'm not a developer on this project, so don't take my word for it.

[BartMassey]

@zwick-martin What is the current status of things with OCCAM? Is there someone actively developing? This issue seems pretty important: it would be great if someone who knows the codebase better than me would take a look at the PR and close this issue, and then review the codebase for other similar issues…

[zwick-martin]

Hello All,

I took a look at the PR and it looked straightforward.

Unfortunately I don't currently have a lot of time to devote to fixing any other XSS issues that might be in the codebase, but I can certainly review and merge if that will help or else have a discussion with anyone who would like to join the open source project team.

• Shawn

On Wed, Mar 9, 2022 at 8:42 PM Martin Zwick @.***> wrote:

Shawn, Guy, Joe,

Robert Kramer, working with Lindsay Mico at Providence, is trying to get an Occam version working at Providence and are running into problems with, I think, libraries that Occam uses. Can you help him out? It would be really nice if Providence could get Occam operational. We'd be able to arrange for research with their data, they would be able to tell us how to integrate Occam in a more modern way with other software, etc etc. This is important. Getting Occam going there will be a great step in reactivating the Occam project. Please help!

Please look at the problem that they're having:

https://github.com/occam-ra/occam/issues/62

Marty

P.S. Thanks so much, Bart, for alerting me. Does CS have any students who might like to help out on the Occam project? On 3/9/2022 4:03 PM, Bart Massey wrote:

@zwick-martin https://github.com/zwick-martin What is the current status of things with OCCAM? Is there someone actively developing? This issue seems pretty important: it would be great if someone who knows the codebase better than me would take a look at the PR and close this issue, and then review the codebase for other similar issues…

— Reply to this email directly, view it on GitHub https://github.com/occam-ra/occam/issues/62#issuecomment-1063501143, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKX6KOEDKPU3R7AELSLFMJTU7E36FANCNFSM5GCL3OLA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

--

Martin Zwick Professor, Systems Science Program Portland State University Portland OR 97207-0751

503-725-4987 503-803-9580 (cell) @.*** https://works.bepress.com/martin_zwick/

[BartMassey]

@zwick-martin Have you talked with our new AI Faculty Banafsheh Rebkhadar and Ameeta Agrawal about OCCAM? They'd likely be interested, and might be most likely to have students around who were interested in helping.

Hope things are going well.

[zwick-martin]

Shawn, Guy, Joe,

Robert Kramer, working with Lindsay Mico at Providence, is trying to get an Occam version working at Providence and are running into problems with, I think, libraries that Occam uses. Can you help him out? It would be /really nice/ if Providence could get Occam operational. We'd be able to arrange for research with their data, they would be able to tell us how to integrate Occam in a more modern way with other software, etc etc. This is important. Getting Occam going there will be a great step in reactivating the Occam project. Please help!

Please look at the problem that they're having:

https://github.com/occam-ra/occam/issues/62

Marty

P.S. Thanks so much, Bart, for alerting me. Does CS have any students who might like to help out on the Occam project?

On 3/9/2022 4:03 PM, Bart Massey wrote:

@zwick-martin https://github.com/zwick-martin What is the current status of things with OCCAM? Is there someone actively developing? This issue seems pretty important: it would be great if someone who knows the codebase better than me would take a look at the PR and close this issue, and then review the codebase for other similar issues…

— Reply to this email directly, view it on GitHub https://github.com/occam-ra/occam/issues/62#issuecomment-1063501143, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKX6KOEDKPU3R7AELSLFMJTU7E36FANCNFSM5GCL3OLA. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

--

Martin Zwick Professor, Systems Science Program Portland State University Portland OR 97207-0751

503-725-4987 503-803-9580 (cell) @.*** https://works.bepress.com/martin_zwick/