[FIXED] Supersensitive XSS Filter Needs A Solution

Bug reports and enhancement requests
Post Reply
CodeFate
Posts: 2
Joined: Thu Nov 24, 2016 3:48 am

[FIXED] Supersensitive XSS Filter Needs A Solution

Post by CodeFate » Thu Nov 24, 2016 5:06 am

Hello,

So this problem has just recently come up with NoScript. I run a file host (called Obscured Files) which distributes the load to multiple nodes using sub-domains.

All of them run on the same domain verified using the same https certificate. We have a HSTS, CSP, and we even public key pin our certificate (though pinning is currently disabled for some updates).

Yet when a user now POSTs to the same domain (directed at an appropriate sub-domain) the XSS filter is triggered trashing whatever the user was sending over needing them to reupload again with the unsafe reload button.

The console shows:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://ace.obscuredfiles.com/index.php/upload/do_upload] from [https://obscuredfiles.com/]: transformed into a download-only GET request.


It was working yesterday. What changed?
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36

dnolan
Posts: 9
Joined: Wed Nov 23, 2016 9:11 am

Re: Supersensitive XSS Filter Needs A Solution

Post by dnolan » Thu Nov 24, 2016 12:41 pm

See viewtopic.php?f=7&t=22296.

Perhaps a moderator could merge the threads, maybe with the title changed to "XSS false positive" or something to that effect. barbaz, what do you think?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

barbaz
Senior Member
Posts: 9448
Joined: Sat Aug 03, 2013 5:45 pm

Re: Supersensitive XSS Filter Needs A Solution

Post by barbaz » Thu Nov 24, 2016 2:37 pm

I think it's a different issue. That other thread is about XSS filter tripping from stuff entered into address bar and searchbar. This one is about a website being erroneously broken by NoScript.

CodeFate, what NoScript version are you using? If it's some 2.9.5 version, does downgrading NoScript to 2.9.0.14 let it work again?

Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8803
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Supersensitive XSS Filter Needs A Solution

Post by Giorgio Maone » Thu Nov 24, 2016 7:38 pm

Please check latest development build 2.9.5.2rc1, thanks.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

CodeFate
Posts: 2
Joined: Thu Nov 24, 2016 3:48 am

Re: Supersensitive XSS Filter Needs A Solution

Post by CodeFate » Thu Nov 24, 2016 11:20 pm

The release candidate, as well as downgrading, seems to fix the issue.

What is the candidate's ETA to the Mozilla store?
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36

barbaz
Senior Member
Posts: 9448
Joined: Sat Aug 03, 2013 5:45 pm

Re: Supersensitive XSS Filter Needs A Solution

Post by barbaz » Thu Nov 24, 2016 11:45 pm

*Always* check the changelogs BEFORE updating that important software!
-

Post Reply