http://mivo.truxoft.com
MIVO!
miva beyond limits

Most of webmasters are aware of security risks of ActiveX, VBscript and Java but the vulnerability of JavaScript stays often underestimated. There were too many JavaScript related security holes and exploits discovered. Some of browser versions got fixed but some of the vulnerabilities are still available in most of them.

Authorities like CERT or BSI (Bundesamt für Sicherheit in der Informationstechnik = German Federal Bureau for IT Security) and even browser vendors advice to disable JavaScript and other active scripting for secure browsing.
http://www.cert.org/advisories/CA-97.20.javascript.html
http://www.bsi.de/aktuell/presse/java99.htm (German)
http://www.microsoft.com/technet/security/bulletin/ms99-043.asp
http://www.heise.de/ct/00/03/064/ (German)

What is wrong with JavaScript?

Few things that can be done with JavaScript to you as a visitor of a malicious website (depending on your browser version and its security settings) or by HTML formatted e-mail (depending on your e-mail client settings):

• Snag your e-mail address
• Kill your browser
• Eat your system memory and performance
• Shut down or power off your PC
• Read your file structure or even files
• Use your PC as an e-mail relay - send e-mails in your name
• Find your installed plug-ins
• Get your IP address
• ... and probably much more

JavaScript can be also used to inject malicious code in improperly written websites (e.g. HotMail). Users can enter malicious code to be run on the visitors' browsers, hijack entire pages or grab users' passwords, personal information or data stored in cookies.
http://www.cert.org/advisories/CA-2000-02.html

Miva and JavaScript

JavaScript makes writing of dynamical HTML pages with Miva easier, but you should always try to keep your website working even for visitors who disabled their active scripting.

Miva programmers know, or should know, that any value of a variable that can be submitted or changed by a user, should never be used in macros without the :entities encoding. It is described in the Miva Script Reference Manual. The text explains that MvEVAL should be used preferably. Inexperienced Miva-user could easily understand that using MvEVAL is perfectly safe. Unfortunately, it is true just for injected Miva script tags but not for any other HTML tags (incl. JavaScript). All user accessible variables should be always converted or displayed with the encodeentities() function!

Have a look at the following example of a bad programming. Instead of
<MvEVAL EXPR="{encodeentities(txt)}"> I use plain
<MvEVAL EXPR="{txt}"> only. Submit the injected Javascript to see that it works.

User text:
<SCRIPT LANGUAGE="JavaScript">alert('VULNERABLE!')</SCRIPT>

How can it be abused?

Malicious code can be inserted in any message, name, address or other submitted text. If the text is publicly displayed on your website (e.g. browser boards), user can submit code for attacking other visitors. He can also attack the administrator. Some programmers take less care about the security on their own password-protected administrator pages, because they believe that they are well hidden and protected from the users. Unfortunately they forget that they can be easily attacked through the user data.

A separate article about other methods of code injection into your pages or databases will be posted here soon.