Problem/Motivation

From the original report by @mr.baileys:

The authcache_ajax submodule seems to have a security vulnerability in that it accepts/trusts any element with class "authcache-ajax-frag" and a "data-authcache-ajax-src", and will gladly load whatever is specified in the data-authcache-ajax-src". For example, a malicious user can add the following snippet to regular content:

<a href="#" class="authcache-ajax-frag" data-authcache-ajax-src='/CHANGELOG.txt'>inject changelog</a>

which will inject the site's changelog into the content. Users can also embed external URLs this way, included external content, although this is mitigated by the fact that modern browsers will block cross-domain requests.

Proposed resolution

Do not write the front-controller URL into the markup but instead as a setting.

Remaining tasks

None.

User interface changes

None.

API changes

Authcache Ajax marup changed, sites overriding the default markup need to reproduce the changes.

Data model changes

None.

Comments

  • znerol committed 69f861b on 7.x-2.x 
    Issue #2537484 by mr.baileys, znerol: XSS vulnerability in Authcache...
znerol’s picture

znerol commented
Issue summary: View changes
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.