AUR web interface

Tasklist

FS#46259 - JSONP vulnerabilities in the rpc.php script

Attached to Project: AUR web interface
Opened by felix (fstirlitz) - Friday, 11 September 2015, 14:31 GMT
Last edited by Lukas Fleischer (lfleischer) - Saturday, 03 October 2015, 07:59 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 4.0.0-rc6
Due in Version 4.1.0
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The JSON endpoint at /rpc.php allows arbitrary strings to be used as the JSONP callback name. This could be exploited by an XSS attack (executing arbitrary JavaScript on behalf of aur.archlinux.org), or by a content-sniffing attack like <https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/>.
This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Saturday, 03 October 2015, 07:59 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 4.1.0.
Comment by Lukas Fleischer (lfleischer) - Saturday, 12 September 2015, 07:35 GMT
Looking at the logs, the JSONP callback feature doesn't seem to be used a lot (there is just one user). So we have two options:

1. Remove that feature altogether.
2. Restrict the callback name to a certain character set and a certain sensible length. Also add the "/**/" workaround described in the article.
Comment by Lukas Fleischer (lfleischer) - Saturday, 12 September 2015, 08:23 GMT
Went with the second option for now, we can still think about removing the feature later. Thanks for reporting this!
Comment by saravanan (saravanan) - Saturday, 24 October 2015, 05:52 GMT
After this fix jsonp callbacks with underscore started reporting error.
eg: https://aur.archlinux.org/rpc.php?type=search&arg=foobar&callback=foo_bar gives the error as
{"version":1,"type":"error","resultcount":0,"results":"Invalid callback name."}

May be, adding underscore to the regex pattern in,
file /lib/aurjson.class.php, line no 122, will fix this

Loading...