Opened 11 years ago

Closed 11 years ago

#674 closed Bug/Something is broken (fixed)

red accepts changes to fields that probably shouldn't be editable

Reported by: Daniel Kahn Gillmor Owned by: Jamie McClelland
Priority: Urgent Component: Tech
Keywords: red security Cc:
Sensitive: no

Description

in #673, i was asking about how to reset the password for a mailing list through the member's control panel.

I just now got up enough courage to click the mysterious "submit" button on that form, and found a few interesting things. For one thing, red appears to accept arbitrary information in the list name, domain name, and list owner fields. These are normally hidden fields, but they are easily modifiable from the client side to be editable inputs.

I'm marking this as a security concern because it seems like it might be possible to reset the administrative password for any MF/PL mailing list through the member's control panel in this fashion.

As it stands now, it looks like i've just pushed red into a hard-error with my experimentation on the jrec-tech list.

Change History (3)

comment:1 Changed 11 years ago by Daniel Kahn Gillmor

Furthermore, the error message from the system triggering the hard error appears to be echoed without escaping to the HTML page. This could be a potential vector for an XSS attack.

comment:2 Changed 11 years ago by Jamie McClelland

Thanks dkg. I've confirmed this and am working on a fix right now.

comment:3 Changed 11 years ago by Jamie McClelland

Resolution: fixed
Status: newclosed

The ability for users to change arbitrary data before submitting has been fixed in changeset r211. The error messages not being properly escaped is fixed in changesets r213 and r215.

Thanks again for pointing out these holes. Please test and make sure my fixes did the trick.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.