Persistent XSS on Zoho Creator

Persistent XSS on Zoho Creator

Hi,

My name is Petko D. Petkov, pdp (architect); and I am currently maintaining GNUCITIZEN group at http://www.gnucitizen.org. I am really enjoying your service so far and I have implemented several security mashups on the top of it.

While playing with your Zoho Creator service, I discovered that you do not properly sanitize special meta characters. This results into persistent XSS on your site which can be easily implemented into a XSS Worm.

Here is a demonstration of the bug:

http://creator.zoho.com/pdp/xssdb/view/1/
http://creator.zoho.com/pdp/view/1/record/40468000000007003/

Please do not destroy the database, it is currently in use. Let me know as soon as you verify the bug so I we can remove the malicious entries.

The fix is quite simple. Every time you display something, make sure that you use XML entities for the XML specific meta characters such as > and <. You can substitute them for > and <. Similar approach applies in cases where the user supplied data resides inside element attributes although you have to take care of " (double) or ' (single) quotes as well, depending on whether you use double quote or single quote enclosed element attributes.

It is also recommended that you implement a captcha like component that we can use as part of the zoho forms. This feature will prevent bulk insertion attacks. Right now, everyone can abuse your forms. Users can still moderate their forms but the administrative overhead could become too much especially in situations where the database in use is quite large. If you make the captcha component optional, that will be great.

One additional question that I need to ask is about your business model. The truth is that Zoho provides good service but I cannot see what's your business model. Are you planning to implement ads in the future? It is important that your users understand how your service may mutate in the future.

Thanks,
pdp
pdp.gnucitizen