U4-9134 - XSS security issue in the grid

Created by Claus Jensen 01 Nov 2016, 10:54:49 Updated by Arnold Visser 08 Dec 2016, 13:03:19

The grid currently doesn't do input validation for the default configuration option "class".

This allows an editor to inject a script anywhere he has access to edit content using the default grid renderer. Tricking a logged in administrator into visiting the compromised page, then allows any action in the backoffice to be performed on behalf of the administrator (such as escalating access permissions for another user).

Comments

Claus Jensen 08 Nov 2016, 09:09:09

Found a few more places where it could be a problem.. fixed those too.

  • Exposing xss clean method on TemplateUtilities.
  • Making the clean xss string extensions public instead of internal.
  • Ensuring the included grid renderers clean for xss.
  • Ensuring the included grid editors using html.raw with value directly, cleans for xss.

Note: this one ''really'' isn't necessary, since the razor renderer takes care of it, but then again... it doesn't really hurt to be completely sure and also shows good practice if anyone is using the templates as base for something else where the razor renderer checks are worked around. https://github.com/umbraco/Umbraco-CMS/commit/8bb069e996a452b2dd4fa016bca32c3ec6d933cc#diff-3215c52199fb2398f586f17d71066e82R19

Note 2: decided to make this one public as it will allow other people to use it without having to implement something from scratch... no need to keep this internal ;) https://github.com/umbraco/Umbraco-CMS/commit/8bb069e996a452b2dd4fa016bca32c3ec6d933cc#diff-8aba4e505340b4949bce3c75076b8fedR187

'''PR here: https://github.com/umbraco/Umbraco-CMS/pull/1610'''


Sebastiaan Janssen 15 Nov 2016, 10:33:44

Left some comments for you to look at on the PR!


Claus Jensen 15 Nov 2016, 11:18:46

Updated pr with changes from comments :)


Arnold Visser 08 Dec 2016, 13:03:19

@claus @sebastiaan this seems to be causing unwanted (breaking) side effects: http://issues.umbraco.org/issue/U4-9262


Priority: Critical

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.2.0, 7.3.0, 7.4.0, 7.5.3, 7.5.4

Due in version: 7.5.5

Sprint: Sprint 46

Story Points: 1

Cycle: