• Register
    • Help

    striker  0 Items
    Currently Supporting
    • Home
    • News
    • Forum
      • Try XenForo Demo
      • New Posts
      • FAQ
      • Calendar
      • Community
        • Groups
        • Albums
        • Member List
      • Forum Actions
        • Mark Forums Read
      • Quick Links
        • Today's Posts
        • Who's Online
      • Sponsor
        • Sponsor a Feature
        • List of Donors
    • Wiki
    • Support
    • What's New?
    • Buy Now
    • Manual
    • 
    • Blogs
    • pegasus
    • How to Be a Smart Wiki Editor

    1. Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

      VaultWiki allows your existing forum users to collaborate on creating and managing a site's content pages. VaultWiki is a fully-featured and fully-supported wiki solution for vBulletin and XenForo.

      The VaultWiki Team encourages you to join our community of forum administrators and check out VaultWiki for yourself.

    View RSS Feed

    pegasus

    You can place wiki content at this location.

    Manage

    How to Be a Smart Wiki Editor

    Rate this Entry
    0 Comments
    by
    pegasus
    • View Profile
    • View Forum Posts
    • View Blog Entries
    • Visit Homepage
    • View Articles
    , November 3, 2015 at 9:42 AM (4462 Views)
    Templates are a very powerful tool for building pages out of multiple parts; however, interchanging parts that have different access permissions, without thinking it through, can have serious implications for the security of your final wiki page.

    VaultWiki does its best to clean user inputs in template arguments and to sandbox the permissions in nested templates. However, wiki editors should be aware that careless use of templates in privileged environments can still allow the creation of new security vulnerabilities by the editor.

    For example, we have a template "Public Template" that any user can edit, but it does not allow HTML.
    We have a page "Admin Page" that only admins can edit, but it does allow HTML.

    If the editor of "Admin Page" is careless when implementing "Public Template", it is possible to run the content of "Public Template" in a privileged state even though it has been sandboxed.

    Why this is the Editor's Responsibility

    For other security reasons and for permitting other legitimate usages, the sandbox for "Public Template" cannot consider the outside context in which it used. Thus, VaultWiki cannot be made to detect and pre-empt a bad usage of the following types. So it becomes the responsibility of the editor of "Admin Page" not to actively create the following vulnerabilities.

    User-created Attribute Vulnerability

    Here's an example of bad "Admin Page" code:
    Code:
    <div [template]Public Template[/template] class="myDivStyles"></div>
    In this case, an editor of "Public Template" might be able to add onclick Javascript events to your div, without writing any real HTML code themselves.

    User-created Tag Vulnerability

    Here's another example of bad "Admin Page" code:
    Code:
    <[template]Public Template|el=div[/template]>
    [template]Public Div Content Template[/template]
    </[template]Public Template|el=div[/template]>
    This is a simplified example, but let's say the editor of "Admin Page" expects the following content for "Public Template":
    Code:
    {{{el}}} class="myDivStyles"
    And the following content for "Public Div Content Template":
    Code:
    Text that goes in my div.
    Since both of these templates are public, they can be edited like so. For "Public Template":
    Code:
    script
    For "Public Div Content Template":
    Code:
    alert('I just exploited a vulnerability!');

    User-created Javascript Vulnerability

    Here's an example of bad "Admin Page" code:
    Code:
    <script>
    var myScriptVar = 'Div Title';
    var myScriptVar2 = '[template]Public Template[/template]';
    
    var myDiv = document.createElement('div');
    myDiv.setAttribute('title', myScriptVar);
    myDiv.innerHTML = myScriptVar2;
    </script>
    It's great that the editor wants to dynamically create a new DIV and wants to fill it with the content of Public Template, but he has just allowed editors of "Public Template" to access a Javascript scope on this page. Example "Public Template":
    Code:
    '; alert('I just exploited a vulnerability!'); '
    While the example above uses a SCRIPT tag, you should also be careful with IFRAME, OBJECT, APPLET, and other such tags.

    Conclusion

    In conclusion, if you have HTML privileges, be responsible, and do not place templates in foolish places. These rules apply not only to the outside page, but also if you are nesting multiple templates.

    Submit "How to Be a Smart Wiki Editor" to Digg Submit "How to Be a Smart Wiki Editor" to del.icio.us Submit "How to Be a Smart Wiki Editor" to StumbleUpon Submit "How to Be a Smart Wiki Editor" to Google

    Updated November 4, 2015 at 7:48 AM by pegasus

    Tags: testtag
    Categories
    Staff Blogs
    « Prev     Main     Next »

    Comments

    Oops!

     
    Cancel Changes
    + Create Blog
    pegasus
    pegasus's Avatar
    • Go to Profile Go to Profile
    • Mark as Read Mark as Read
    Join Date
    March 28, 2004
    Location
    New York, NY
    Posts
    2,886
    Blog Entries
    18
    • Recent Blog Posts
      • How to Be a Smart Wiki Editor
        November 3, 2015 9:42 AM
      • A Feature A Day
        October 8, 2014 12:20 PM
      • bind(): Cannot assign requested address
        September 28, 2014 5:10 AM
      • VaultWiki Development Reality Check
        May 28, 2014 12:48 AM
      • How to Upgrade to VaultWiki 4
        September 3, 2013 3:25 PM
    • Recent Comments
      • A Feature A Day
        by Alfa1
      • New in VaultWiki 4
        by pegasus
      • VaultWiki Mobile Style
        by pegasus
      • What's Changing About VaultWiki (Re-post)
        by ashley76
      • VaultWiki 4: Articles, Comments, and Attachments
        by Mokonzi
    • Recent Visitors
      • ACL,
      • dvsDave,
      • gerryvz,
      • Grimscythe,
      • JulianD,
      • medic917,
      • RockGermany,
      • Stefanus,
      • unfairest,
      • Vilandra
    • Archive

        <   April 2021    
      Su Mo Tu We Th Fr Sa
      21 22 23 24 25 26 27
      28 29 30 31 1 2 3
      4 5 6 7 8 9 10
      11 12 13 14 15 16 17
      18 19 20 21 22 23 24
      25 26 27 28 29 30 1

    You can place wiki content at this location.

    Manage
    • Contact Us
    • License Agreement
    • Privacy
    • Terms
    • Top
    All times are GMT -4. The time now is 10:23 AM.
    This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Learn more… Accept Remind me later
  • striker
    Powered by vBulletin® Version 4.2.5 Beta 2
    Copyright © 2021 vBulletin Solutions Inc. All rights reserved.
    Search Engine Optimisation provided by DragonByte SEO (Pro) - vBulletin Mods & Addons Copyright © 2021 DragonByte Technologies Ltd.
    Copyright © 2008 - 2013 VaultWiki Team, Cracked Egg Studios, LLC.