I don't understand how this becomes an XSS vulnerability, XSS attacks work by having malicious scripts executed by another user. Key word being 'another'. If this works (it gives me a 404) this is an example where you can XSS attack yourself, but there is no reasonable what to necessarily prevent this, and besides, you can't save people from themselves anyway. How do you escape what someone types into the address bar of a browser?
What happens on your site at /admin/index.php (.php?)? Does it allow this script (including the unescaped tags) to somehow be presented to another user for execution? If not, where is the XSS attack? Django, at least as of recent builds, escapes the tags when putting things into the DB and into templates. A typical example of an XSS attack path would be putting a script into a form field at a public site and having the next user to view that entry (blog, perhaps) getting the script back in a subsequent request and having it execute. Typically the script would then run and send any cookies to the attackers site (with login credentials for a bank or some such nonsense). Nothing that any application developer can do can prevent me from sending the current session cookie for my ebanking site to a known xss attack url. I have done some pretty extensive testing of the application security aspects of Django (by trade I am a security consultant) and find it to be very reasonably secure, provided sessions timeouts are set to a reasonable amount of time and cookies do not contain any information other than a session id. Both of which prevent allowing unauthorized access to someone's account after that user was the victim of XSS from another site. If you review any of the documentation regarding preventing XSS attacks, they all focus on escaping 'dirty' characters at the server, prior to database insertion or other processing for further presentation to other users. My advice: congratulate the security guru at your company, he obviously got through a few chapters of Jeremiah Grossman's book;), but then ask him to explain in detail the actual risk to your app or your users. hth, -richard On 5/7/08, mw <[EMAIL PROTECTED]> wrote: > > It worked for me and I have one of the fairly recent copies from SVN. > (not like today up to date, but pretty up to date) > > > > On May 7, 12:34 pm, "James Bennett" <[EMAIL PROTECTED]> wrote: > > On Wed, May 7, 2008 at 12:31 PM, Chunlei Wu <[EMAIL PROTECTED]> wrote: > > > /admin/index.php/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/ > > > > > I am surprised the passed javascript code is indeed executed. Can > > > somebody verify that? Is it a big threat? > > > > Which version of Django is this happening in? Automatic default > > escaping of template contents didn't start until after the 0.96 > > release... > > > > -- > > "Bureaucrat Conrad, you are technically correct -- the best kind of > > correct." > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
