The issue described in the CERT advisory concerns sites which generate dynamic content from user input; for example, web discussion boards and guestbooks. Attackers can embed tags in this input, such as SCRIPT or FORM tags, that can run scripts on a client's system or compromise the security of their information. This can cause security issues even if the page is only visible by the user who appears to have given the input; attackers can include poisoned URLs in email or newsgroup messages or on other web sites. In some cases, the attacks can be made persistent with cookies.
All dynamic content providers need to be aware of this serious issue. All WebObjects developers should read the original CERT advisory, which can be found at: http://www.cert.org/advisories/CA-2000-02.html
WebObjects and Dynamic Content
By default, when an NSString is used to create a dynamic page, WebObjects escapes all special characters, including the "<" and ">" characters. For example, if a user input the following HTML code into a WebObjects application:
Hello message board. This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.
WebObjects, when dynamically building a page with this input, would generate:
Hello message board. This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.
This will prevent the malicious code from executing.
However, WebObjects allows developers great flexibility, and some developers may have chosen to change this default behavior to allow users to enter valid HTML tags. If you have chosen to allow HTML tags in user input, your application will be vulnerable to this issue. In addition, static pages generated by your web server, such as the "404 Not Found" page, may be vulnerable to malicious tags. Contact your web server vendor for more information.