Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@locus.apache.org Received: (qmail 12092 invoked from network); 24 Dec 2007 19:56:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 24 Dec 2007 19:56:08 -0000 Received: (qmail 95638 invoked by uid 500); 24 Dec 2007 19:55:57 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 95623 invoked by uid 500); 24 Dec 2007 19:55:57 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 95614 invoked by uid 99); 24 Dec 2007 19:55:57 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Dec 2007 11:55:57 -0800 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Dec 2007 19:55:51 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 1B38171422E for ; Mon, 24 Dec 2007 11:55:43 -0800 (PST) Message-ID: <26165895.1198526143108.JavaMail.jira@brutus> Date: Mon, 24 Dec 2007 11:55:43 -0800 (PST) From: "cristian borlovan (JIRA)" To: jspwiki-dev@incubator.apache.org Subject: [jira] Commented: (JSPWIKI-65) Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter In-Reply-To: <21203542.1196281663457.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/JSPWIKI-65?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12554291 ] cristian borlovan commented on JSPWIKI-65: ------------------------------------------ Sorry about that, I am trying to be careful with it. I guess that one slipped. If you see others please correct and I will go back and do the same for each one. -Cristian > Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter > -------------------------------------------------------------------------------------- > > Key: JSPWIKI-65 > URL: https://issues.apache.org/jira/browse/JSPWIKI-65 > Project: JSPWiki > Issue Type: Bug > Components: Plugins > Reporter: Cristian Borlovan > Assignee: Janne Jalkanen > Priority: Critical > Fix For: 2.6.0 > > Attachments: report.pdf > > > Description: The Include Tag may print out an error message containing user input. Even though it is highly unlikely that this will contain malicious payload (since the logic only executes if page is null), best practices indicate using the standard output encoding routine to sanitize the data. Note this particular vulnerability may be triggered, via the use of the Include Tag, from 16 different vectors. > For example, "skin=" might be attempted to be injected and the code were changed in the future to not check if null. > Recommendation: Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method. > Related Code Locations: > 16 vectors to: > Name: com.ecyrd.jspwiki.tags.IncludeTag.doEndTag():int > Type: Vulnerability.CrossSiteScripting.Reflected > Severity: Low > Classification: Vulnerability > File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IncludeTag.java > Line / Col: 79 / 0 > Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println ( new java.lang.StringBuilder . java.lang.StringBuilder.append("No template file called '") . java.lang.StringBuilder.append(this.m_page) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString() ) > ----------------------------------- -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.