jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (JSPWIKI-64) Ounce Labs Security Finding: Input Validation - Reflected XSS Edit
Date Sat, 10 Sep 2011 23:35:10 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-64?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Holeczek closed JSPWIKI-64.
-----------------------------------


> Ounce Labs Security Finding: Input Validation - Reflected XSS Edit
> ------------------------------------------------------------------
>
>                 Key: JSPWIKI-64
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-64
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Janne Jalkanen
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: 
> The Edit.jsp will use a variety of different request parameters directly without validation
and set session attributes with this tainted data.  Later in different application components
(JSPs) these values will be used directly (sometimes without proper output encoding).  It
is recommended that these values be properly validated prior to setting them into the session
as attributes.
> Example 1: link is used as a hidden field from the session attribute directly, which
is set in Edit.jsp
> Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp
> Recommendation: 
> Validate each parameter prior to setting the value into the session attribute. Output
Encode the value rendered to the user.  Use the "TextUtil.replaceEntities()" method. 
> Related Code Locations: 
> 9 findings:
>   Name:           JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     92 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext",
getEditedText(pageContext) )
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
>   Line / Col:     75 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "link", link
)
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     169 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext",
getEditedText(pageContext) )
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Info
>   Severity:       Info
>   Classification: Type II
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     169 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext",
getEditedText(pageContext) )
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     171 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "author", user
)
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Info
>   Severity:       Info
>   Classification: Type II
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     92 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext",
getEditedText(pageContext) )
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
>   Line / Col:     75 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "link", link
)
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Type II
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     43 / 0
>   Context:        request . javax.servlet.ServletRequest.getParameter ( "htmlPageText"
)
>     -----------------------------------
>   Name:           JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Info
>   Severity:       Info
>   Classification: Type II
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     171 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( "author", user
)
>    -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message