Problem: FeedsProcessor::createLogMessage() copies user provided content from entities and Feeds items unsanitized to the log. An attacker can supply a feed with malicious content which can trigger XSS exploits in the admin interface when a View of Feeds log messages is configured.
Proposed solutions: separate log message from user provided variables to prevent XSS attacks.
Comment | File | Size | Author |
---|---|---|---|
#1 | feeds-log-xss-2502419-1.patch | 1.6 KB | klausi |
Comments
Comment #1
klausiPatch attached.
Comment #2
klausiOh and I used this update function to get rid of potentially malicious log messages in the DB:
Not sure if this is the right approach for Feeds, so I implemented this in a custom recruiter module for now.
Comment #3
MegaChriz CreditAttribution: MegaChriz commentedIn #1953008: PHP Fatal error: Nesting level too deep - recursive dependency? in FeedsProcessor.inc on line 199 there is a patch that also fixes security issues for the log message. I haven't checked yet if it also fixes the whole problem described here, so maybe the two solutions need to be merged.
Comment #4
MegaChriz CreditAttribution: MegaChriz commentedComment #6
twistor CreditAttribution: twistor commentedI've committed the simplest fix for this for alpha-9, which is just going to be a collection of security patches. We can continue the proper fix in other issues.