Re: dojo / CVE-2018-6561

To: Brian May <brian@linuxpenguins.xyz>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: dojo / CVE-2018-6561
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 6 Feb 2018 20:47:17 +0100
Message-id: <[🔎] CABY6=0=a0yq53_3ctWp_SB_gZ4+3Cou=cr64Q0NdEWQdhfio5A@mail.gmail.com>
In-reply-to: <[🔎] 877erqwp4a.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 877erqwp4a.fsf@prune.linuxpenguins.xyz>

Hi Brian

I tend to agree with your analysis.

Source edit mode seems to be a separate module.
https://dojotoolkit.org/reference-guide/1.10/dijit/_editor/plugins/ViewSource.html

I do not know whether that one is included or not.
According to that module page it has filtering support to filter out
such things to avoid XSS attacks.

I agree with you that the server side that the data is posted to, also
need to do validation of the contents as you can not trust a client
side security check.
I think we can mark this as ignored as this is more of a minor security problem.

Best regards

// Ola

On 6 February 2018 at 08:31, Brian May <brian@linuxpenguins.xyz> wrote:
> Hello All,
>
> Looking at
> https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md:
>
> The complaint appears to be: If I directly enter HTML into the
> JavaScript editor using its source mode, I can enter HTML code that
> contains JavaScript code, which could lead to an XSS attack.
>
> I tried to reproduce this with the same online editor:
> http://demos.dojotoolkit.org/demos/editor/demo.html
>
> However I seem to be unable to find the source mode button.
>
> Lets just assume this complaint is reproducible.
>
> This is a JavaScript application, designed to run entirely - I believe -
> in the browser. Hence even if the JavaScript application filtered
> dangerous HTML text, the fact remains it is still possible for the user
> to override the data submitted and still create XSS attacks.
>
> Hence I believe the only solution for this security bug is that the
> server the data is being submitted to must sanitise the HTML to ensure
> it is safe (and should already be doing so).
>
> While this might be a bug, I don't believe the failure of a JavaScript
> library to validate input is a *security* *bug*, as the server should be
> doing this.
>
> Any comments?
>
> Regards
> --
> Brian May <brian@linuxpenguins.xyz>
> https://linuxpenguins.xyz/brian/
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- dojo / CVE-2018-6561
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: Re: Wheezy update of dokuwiki?
Next by Date: Re: exiv2 [was: January Report]
Previous by thread: dojo / CVE-2018-6561
Next by thread: Fwd: simplesamlphp_1.9.2-1+deb7u2_amd64.changes REJECTED
Index(es):
- Date
- Thread