This add GET-Parameters for xlrtrsettings in header.pl
http://git.ipfire.org/?p=people/jiweigert/ipfire-2.x.git;a=commit;h=b836edd0...
Hey,
I think the original intention to filter for POST requests is to prevent cross-site scripting issues. However, it is not a huge problem to create a POST request with JS.
I am still not convinced that we should remove this line. It makes XSS attacks more easy and therefore more dangerous.
For what exactly is this modification required?
-Michael
On Wed, 2013-04-24 at 18:22 +0200, Jörn-Ingo Weigert wrote:
This add GET-Parameters for xlrtrsettings in header.pl
http://git.ipfire.org/?p=people/jiweigert/ipfire-2.x.git;a=commit;h=b836edd0...
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
I'm not really happy about re-implementing basic Features of HTML via JS, just cause of a limited processing (and thats what this return if... is)
And as you know, Each method could be faked and just limiting on POST is just like putting a sign in front of fort knox sayin "There is no gold, bye".
Sure, if there is a better solution to only on GET and POST methods it would be great to implement
its for accessing GET-Params ;) which wont work otherwise, I used this for the section-switcher in the updxlrtr.
Kind regards,
Ingo Weigert
2013/4/25 Michael Tremer michael.tremer@ipfire.org
Hey,
I think the original intention to filter for POST requests is to prevent cross-site scripting issues. However, it is not a huge problem to create a POST request with JS.
I am still not convinced that we should remove this line. It makes XSS attacks more easy and therefore more dangerous.
For what exactly is this modification required?
-Michael
On Wed, 2013-04-24 at 18:22 +0200, Jörn-Ingo Weigert wrote:
This add GET-Parameters for xlrtrsettings in header.pl
http://git.ipfire.org/?p=people/jiweigert/ipfire-2.x.git;a=commit;h=b836edd0...
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
On Thu, 2013-04-25 at 13:55 +0200, Jörn-Ingo Weigert wrote:
I'm not really happy about re-implementing basic Features of HTML via JS, just cause of a limited processing (and thats what this return if... is)
No, it is a lot easier to make this kind of attack - without JS. All the JS interpreters in modern browsers have a restriction that they cannot send requests across different domains. That does not count for image URL, etc.
For example the following code would indeed work: <img src="https://192.168.1.1:444/cgi-bin/exploitable.cgi?blah=blubb" ...>
You cannot send POST requests that easy.
Sure, if there is a better solution to only on GET and POST methods it would be great to implement
My proposal would be to create a new function which only reads the query string and returns a hash array with all the attributes that you want to have. All the rest is ignored. For example:
# URL: https://192.168.1.1:444/cgi-bin/some.cgi?param1=123 my @values = ("param1"); my %hash = getquerystring(@values); print $hash{'param1'};
123
This leaves getcgihash untouched, so we don't create new problems here.
-Michael
-
Jörn-Ingo Weigert -
Michael Tremer