incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cristian Borlovan (JIRA)" <j...@apache.org>
Subject [jira] Created: (JSPWIKI-65) Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter
Date Wed, 28 Nov 2007 20:27:43 GMT
Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter
--------------------------------------------------------------------------------------

                 Key: JSPWIKI-65
                 URL: https://issues.apache.org/jira/browse/JSPWIKI-65
             Project: JSPWiki
          Issue Type: Bug
            Reporter: Cristian Borlovan


Description: The Include Tag may print out an error message containing user input.  Even though
it is highly unlikely that this will contain malicious payload (since the logic only executes
if page is null), best practices indicate using the standard output encoding routine to sanitize
the data. Note this particular vulnerability may be triggered, via the use of the Include
Tag, from 16 different vectors.

For example, "skin=<script>alert(document.cookie);</script>" might be attempted
to be injected and the code were changed in the future to not check if null.

Recommendation: Output Encode the value rendered to the user.  Use the "TextUtil.replaceEntities()"
method.

Related Code Locations: 
16 vectors to:
  Name:           com.ecyrd.jspwiki.tags.IncludeTag.doEndTag():int
  Type:           Vulnerability.CrossSiteScripting.Reflected
  Severity:       Low
  Classification: Vulnerability
  File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IncludeTag.java
  Line / Col:     79 / 0
  Context:        this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println
( new java.lang.StringBuilder . java.lang.StringBuilder.append("No template file called '")
. java.lang.StringBuilder.append(this.m_page) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString()
)
    -----------------------------------


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message