incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "cristian borlovan (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-67) Ounce Labs Security Finding: Input Validation - Reflected XSS editors
Date Mon, 24 Dec 2007 19:55:43 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-67?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12554292
] 

cristian borlovan commented on JSPWIKI-67:
------------------------------------------

test


On 11/28/07 1:39 PM, "Cristian Borlovan (JIRA)" <jira@apache.org> wrote:



> Ounce Labs Security Finding: Input Validation - Reflected XSS editors 
> ----------------------------------------------------------------------
>
>                 Key: JSPWIKI-67
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-67
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Default template
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Dirk Frederickx
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: The editor related functionality contains a variety of different reflected
XSS attacks.  Please see below for the specific XSS detected.
> 1. FCK.jsp - The "pageAsHtml" parameter is used without validation/output encoding. 
Also, note that this parameter is already embedded within existing <script></script>
tags. An attacker would not need to inject these strings to successfully exploit this XSS.
> 2. WikiWizard.jsp/FCK.jsp - The "link" parameter is used directly without validation/output
encoding..  Note this parameter is set via the Edit.jsp and used throughout all Editors.
> * Attack URL: http://localhost:8080/JSPWiki/Comment.jsp?page=JOJO&link="><script>alert(document.cookie);</script>&preview=something
> 3. WikiWizard.jsp/plain.jsp - The "Accept-Language:" header is used directly without
validation/output encoding.
> * Attack HTTP Payload:
> GET http://localhost:8080/JSPWiki/Edit.jsp?page=FOO&editor=WikiWizard&user=foo
HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/20071008
Firefox/2.0.0.8
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: "><script>alert(document.cookie);</script>
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Cookie: JSPWikiAssertedName=127.0.0.1; JSPWikiSearchBox=favorites; JSESSIONID=44B8881F5C94CE828FDDF9F4B139FA24
> If-Modified-Since: Thu, 01 Nov 2007 19:47:12 GMT
> 4. WikiWizard.jsp/plain.jsp - Also note there is potential for the "attString" to contain
malicious payload here since it is not output encoded.  However, the likelihood is reduced
as it appears that the attachment process will validate the filename attributes at some level.
 However, it is recommended that it be output encoded here as well to further decrease the
XSS potentials.
> 5. The editor drop down list is constructed without validation and outputs whatever value
the user injects. 
> * Attack URL: http://localhost:8080/JSPWiki/Edit.jsp?page=FOO&editor=<script>alert(document.cookie);</script>
> Recommendation: Output Encode the value rendered to the user.  Use the "TextUtil.replaceEntities()"
method. In cases where the data is already rendered within existing script tags, consider
very strong input validation and even removing this exclusion within existing script tags.
> Related Code Locations: 
> 1 findings:
>   Name:           com.ecyrd.jspwiki.tags.EditorTag.doEndTag():int
>   Type:           Vulnerability.CrossSiteScripting
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorTag.java
>   Line / Col:     66 / 0
>   Context:        this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println
( new java.lang.StringBuilder . java.lang.StringBuilder.append("Unable to find editor '")
. java.lang.StringBuilder.append(editorPath) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString()
)
>     -----------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message