incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (JSPWIKI-65) Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter
Date Sat, 10 Sep 2011 23:35:10 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-65?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Holeczek closed JSPWIKI-65.
-----------------------------------


> Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter
> --------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-65
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-65
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Cristian Borlovan
>            Assignee: Janne Jalkanen
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: The Include Tag may print out an error message containing user input.  Even
though it is highly unlikely that this will contain malicious payload (since the logic only
executes if page is null), best practices indicate using the standard output encoding routine
to sanitize the data. Note this particular vulnerability may be triggered, via the use of
the Include Tag, from 16 different vectors.
> For example, "skin=<script>alert(document.cookie);</script>" might be attempted
to be injected and the code were changed in the future to not check if null.
> Recommendation: Output Encode the value rendered to the user.  Use the "TextUtil.replaceEntities()"
method.
> Related Code Locations: 
> 16 vectors to:
>   Name:           com.ecyrd.jspwiki.tags.IncludeTag.doEndTag():int
>   Type:           Vulnerability.CrossSiteScripting.Reflected
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IncludeTag.java
>   Line / Col:     79 / 0
>   Context:        this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println
( new java.lang.StringBuilder . java.lang.StringBuilder.append("No template file called '")
. java.lang.StringBuilder.append(this.m_page) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString()
)
>     -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message