incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (JSPWIKI-63) Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding
Date Sat, 10 Sep 2011 23:35:10 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-63?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Holeczek closed JSPWIKI-63.
-----------------------------------


> Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding
> --------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-63
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-63
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Default template
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Dirk Frederickx
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: 
> The following tags are observed to render contents directly to the pageContext without
Output Encoding.  It may be possible for XSS to occur in each of these tags.
> Recommendation: 
> Output Encode the value rendered to the user.  Use the "TextUtil.replaceEntities()" method.

> Related Code Locations: 
> 13 findings:
>   Name:           com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
>   Type:           Vulnerability.Validation.EncodingRequired
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
>   Line / Col:     288 / 0
>   Context:        out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal,
"&lt;&lt;", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal,
"&gt;&gt;", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.CookieTag.doEndTag():int
>   Type:           Vulnerability.CrossSiteScripting
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CookieTag.java
>   Line / Col:     181 / 0
>   Context:        this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.print
( out )
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.EditorIteratorTag.doAfterBody():int
>   Type:           Vulnerability.CrossSiteScripting
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorIteratorTag.java
>   Line / Col:     112 / 0
>   Context:        out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString()
)
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
>   Type:           Vulnerability.Validation.EncodingRequired
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
>   Line / Col:     288 / 0
>   Context:        out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal,
"&lt;&lt;", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal,
"&gt;&gt;", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
>   Type:           Vulnerability.Validation.EncodingRequired
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
>   Line / Col:     288 / 0
>   Context:        out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal,
"&lt;&lt;", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal,
"&gt;&gt;", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.AttachmentsIteratorTag.doAfterBody():int
>   Type:           Vulnerability.CrossSiteScripting
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\AttachmentsIteratorTag.java
>   Line / Col:     127 / 0
>   Context:        out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString()
)
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
>   Type:           Vulnerability.Validation.EncodingRequired
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
>   Line / Col:     288 / 0
>   Context:        out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal,
"&lt;&lt;", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal,
"&gt;&gt;", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.SearchResultIteratorTag.doAfterBody():int
>   Type:           Vulnerability.CrossSiteScripting
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\SearchResultIteratorTag.java
>   Line / Col:     133 / 0
>   Context:        out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString()
)
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.IteratorTag.doAfterBody():int
>   Type:           Vulnerability.CrossSiteScripting
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IteratorTag.java
>   Line / Col:     142 / 0
>   Context:        out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString()
)
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
>   Type:           Vulnerability.Validation.EncodingRequired
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
>   Line / Col:     288 / 0
>   Context:        out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal,
"&lt;&lt;", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal,
"&gt;&gt;", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.HistoryIteratorTag.doAfterBody():int
>   Type:           Vulnerability.CrossSiteScripting
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\HistoryIteratorTag.java
>   Line / Col:     112 / 0
>   Context:        out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString()
)
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.LinkTag.doEndTag():int
>   Type:           Vulnerability.Validation.EncodingRequired
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\LinkTag.java
>   Line / Col:     425 / 0
>   Context:        out . java.io.Writer.write ( linktext )
>   Notes:	  
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
>   Type:           Vulnerability.Validation.EncodingRequired
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
>   Line / Col:     288 / 0
>   Context:        out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal,
"&lt;&lt;", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>")
. java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal,
"&gt;&gt;", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
>   Notes:	  
>     -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message