incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "cristian borlovan (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-65) Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter
Date Mon, 24 Dec 2007 19:55:43 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-65?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12554291
] 

cristian borlovan commented on JSPWIKI-65:
------------------------------------------

Sorry about that, I am trying to be careful with it.  I guess that one
slipped.  If you see others please correct and I will go back and do the
same for each one.

-Cristian






> Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter
> --------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-65
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-65
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Cristian Borlovan
>            Assignee: Janne Jalkanen
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: The Include Tag may print out an error message containing user input.  Even
though it is highly unlikely that this will contain malicious payload (since the logic only
executes if page is null), best practices indicate using the standard output encoding routine
to sanitize the data. Note this particular vulnerability may be triggered, via the use of
the Include Tag, from 16 different vectors.
> For example, "skin=<script>alert(document.cookie);</script>" might be attempted
to be injected and the code were changed in the future to not check if null.
> Recommendation: Output Encode the value rendered to the user.  Use the "TextUtil.replaceEntities()"
method.
> Related Code Locations: 
> 16 vectors to:
>   Name:           com.ecyrd.jspwiki.tags.IncludeTag.doEndTag():int
>   Type:           Vulnerability.CrossSiteScripting.Reflected
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IncludeTag.java
>   Line / Col:     79 / 0
>   Context:        this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println
( new java.lang.StringBuilder . java.lang.StringBuilder.append("No template file called '")
. java.lang.StringBuilder.append(this.m_page) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString()
)
>     -----------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message