Basecamp security flaw or not?
Geplaatst in Applicaties, Blogging, Internet Reeds 3 reacties op dit berichtI absolutely don’t know how much this will affect the basecamp security and if this really is an exploitable issue but a colleague of mine (Andy) just noticed today it is possible to add HTML to to-do items in basecamp.
For example if we add the following to-do item to basecamp we actually end up with a standard html button as the screenshot below shows.
<button> hello world
What’s the fuzz all about you’d say … well then I tried adding some javascript to the button and that too just saved to the to-do item and worked like one would expect. I added the following code as a to-do item and saved it, the result can be seen in the screenshot.
<button onclick="alert(document.cookie)"> hello world
I honestly don’t know if this is a big security issue since i’m not a javascript security expert but if you ask me this is open for abuse. I would at least have expected some tags would get encoded into their HTML entities or javascript would get stripped all along. Anyone has an idea on this?
Interesting discovery.
I wonder what the verdict will be…
Can 37signals blunder? Are they human after all?
I digg’d this article: http://digg.com/programming/Do.....urity_flaw
Maybe one of the countless digg’ers can clear this out.
regards,
Johan
Nice discovery, But how can I applay it?
This intentional design. Basecamp is made for collaboration between trusted parties. Lots of our customers are very happy that they can use HTML in their messages and other content and would loathe us to take that away.
This is different from, say, a public forum where you’re most certainly not dealing with trusted parties. Applications like that need to escape HTML.