Added: portals/site-live/jetspeed-2/security-reports.html URL: http://svn.apache.org/viewvc/portals/site-live/jetspeed-2/security-reports.html?rev=1733524&view=auto ============================================================================== --- portals/site-live/jetspeed-2/security-reports.html (added) +++ portals/site-live/jetspeed-2/security-reports.html Thu Mar 3 21:05:35 2016 @@ -0,0 +1,458 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> + + + + + + + + + + + +<html xmlns="http://www.w3.org/1999/xhtml";> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <title>Jetspeed 2 - Jetspeed Security Reports</title> + <style type="text/css" media="all"> + @import url("./css/maven-base.css"); + @import url("./css/maven-theme.css"); + @import url("./css/site.css"); + </style> + <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> + </head> + <body class="composite"> + <div id="banner"> + <a href="http://portals.apache.org/jetspeed-2/"; id="bannerLeft"> + + <img src="images/jetspeed-logo.gif" alt="" /> + + </a> + <div class="clear"> + <hr/> + </div> + </div> + <div id="breadcrumbs"> + + + + + + + + + <div class="xleft"> + Last Published: 3 March 2016 + </div> + <div class="xright"> <a href="http://portals.apache.org/applications/"; class="externalLink">Applications</a> + | + <a href="http://portals.apache.org/"; class="externalLink">Portals</a> + | + <a href="http://portals.apache.org/jetspeed-2.2/"; class="externalLink">Jetspeed-2.2.2</a> + + + + + + + + + </div> + <div class="clear"> + <hr/> + </div> + </div> + <div id="leftColumn"> + <div id="navcolumn"> + + + + + + + + + <h5>Essentials</h5> + <ul> + + <li class="none"> + <a href="index.html">Welcome</a> + </li> + + <li class="none"> + <a href="features.html">Features</a> + </li> + + <li class="none"> + <a href="getting-started.html">Getting Started</a> + </li> + + <li class="none"> + <a href="roadmap.html">Roadmap</a> + </li> + + <li class="none"> + <strong>Security Reports</strong> + </li> + </ul> + <h5>Get Jetspeed</h5> + <ul> + + <li class="none"> + <a href="download.html">Download</a> + </li> + + <li class="none"> + <a href="getting-started-installer.html">Installer Instructions</a> + </li> + + <li class="none"> + <a href="release-notes.html">Release Notes</a> + </li> + </ul> + <h5>Documentation Guides</h5> + <ul> + + <li class="none"> + <a href="usersguide/index.html">Users Guide</a> + </li> + + <li class="none"> + <a href="adminguide/index.html">Administrators Guide</a> + </li> + + <li class="none"> + <a href="deployguide/index.html">Deployment Guide</a> + </li> + + <li class="none"> + <a href="buildguide/index.html">Build Guide</a> + </li> + + <li class="none"> + <a href="devguide/index.html">Developers Guide</a> + </li> + + <li class="none"> + <a href="applications/index.html">Jetspeed Applications</a> + </li> + </ul> + <h5>Migration</h5> + <ul> + + <li class="none"> + <a href="guide-migration.html">Migration Guide</a> + </li> + + <li class="none"> + <a href="guide-etl-migration.html">ETL Migration Guide</a> + </li> + + <li class="none"> + <a href="j1-migration.html">Jetspeed-1 Migration Guideline</a> + </li> + + <li class="none"> + <a href="j1-users.html">For Jetspeed-1 Users</a> + </li> + </ul> + <h5>APIs</h5> + <ul> + + <li class="none"> + <a href="apidocs/index.html">Jetspeed-2 Java API</a> + </li> + + <li class="none"> + <a href="devguide/guide-ajax-api.html">Jetspeed-2 AJAX API</a> + </li> + + <li class="none"> + <a href="devguide/guide-rest-api.html">Jetspeed-2 REST API</a> + </li> + </ul> + <h5>Tutorials</h5> + <ul> + + <li class="none"> + <a href="tutorial/index.html">Jetspeed 2.3 Maven Tutorial</a> + </li> + </ul> + <h5>Community</h5> + <ul> + + <li class="none"> + <a href="supporting-projects.html">Supporting Projects</a> + </li> + + <li class="none"> + <a href="who-uses-j2.html">Who Uses J2?</a> + </li> + + <li class="none"> + <a href="portlets-community.html">Portlets Community</a> + </li> + + <li class="none"> + <a href="how-to-help.html">How to Help?</a> + </li> + </ul> + <h5>Support</h5> + <ul> + + <li class="none"> + <a href="mail-lists.html">Mailing List</a> + </li> + + <li class="none"> + <a href="issue-tracking.html">Bug Database</a> + </li> + + <li class="none"> + <a href="http://wiki.apache.org/portals/Jetspeed2"; class="externalLink">Wiki</a> + </li> + + <li class="none"> + <a href="faq.html">FAQ</a> + </li> + </ul> + <h5>Translation</h5> + <ul> + + <li class="none"> + <a href="http://jetspeed-japan.sourceforge.jp/jetspeed-2-trans/ja/index.html"; class="externalLink">Japanese</a> + </li> + </ul> + <h5>Project Info</h5> + <ul> + + <li class="none"> + <a href="project-summary.html">Project Summary</a> + </li> + + <li class="none"> + <a href="team-list.html">Jetspeed Team</a> + </li> + + <li class="none"> + <a href="source-repository.html">Source Repository</a> + </li> + </ul> + <a href="http://maven.apache.org/"; title="Built by Maven" class="poweredBy"> + <img alt="Built by Maven" src="./images/logos/maven-feather.png"></img> + </a> + + + + + + + + + </div> + </div> + <div id="bodyColumn"> + <div id="contentBox"> + <subtitle></subtitle><authors><person name="David Sean Taylor" email="[email protected]"></authors><div class="section"><h2><a name="CVE_Reports"></a>CVE Reports</h2> +<ul><li><a href="#CVE-2016-0709">CVE-2016-0709: Code execution via ZIP file path traversal</a></li> +<li><a href="#CVE-2016-0710">CVE-2016-0710: SQL injection in User Manager service</a></li> +<li><a href="#CVE-2016-0711">CVE-2016-0711: Persistent Cross Site Scripting in links, pages and folders</a></li> +<li><a href="#CVE-2016-0712">CVE-2016-0712: Reflected Cross Site Scripting in URI path</a></li> +</ul> +</div> +<div class="section"><h2><a name="a2.3.1_Release_CVE_Reports"></a>2.3.1 Release CVE Reports</h2> +<a name="CVE-2016-0709"></a><div class="section"><h3><a name="CVE-2016-0709:_Code_execution_via_ZIP_file_path_traversal"></a>CVE-2016-0709: Code execution via ZIP file path traversal</h3> +<table class="bodyTable"><tr class="a"><td>Severity: </td> +<td>Important</td> +</tr> +<tr class="b"><td>Vendor: </td> +<td>The Apache Software Foundation</td> +</tr> +<tr class="a"><td>Versions Effected:</td> +<td> Jetspeed 2.2.0 to 2.2.2</td> +</tr> +<tr class="b"><td></td> +<td>Jetspeed 2.3.0</td> +</tr> +<tr class="a"><td>The unsupported Jetspeed 2.1.x versions may be also affected</td> +</tr> +<tr class="b"><td>Mitigation:</td> +<td>2.2.0 - 2.3.0 users should upgrade to 2.3.1</td> +</tr> +<tr class="a"><td>Credit:</td> +<td>This issue was discovered by Andreas Lindh</td> +</tr> +<tr class="b"><td>References:</td> +<td>http://tomcat.apache.org/security.html</td> +</tr> +</table> +<h4>Description:</h4> +<p>The Import/Export function in the Portal Site Manager, part of the Jetspeed Administrative Portlets, is vulnerable to a path traversal via specially crafted file names in ZIP archives. Any user with permission to upload files via this function can upload a file with a name like "../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This is because the code that performs the unzipping of the archive does not check the validity of the file names before writing them to disk. This can be turned into code execution by uploading a .jsp file and writing it to somewhere on the file system where the web server will execute it when visited + </p> +</div> +<a name="CVE-2016-0710"></a><div class="section"><h3><a name="aCVE-2016-0710:_SQL_injection_in_User_Manager_service"></a>#CVE-2016-0710: SQL injection in User Manager service</h3> +<table class="bodyTable"><tr class="a"><td>Severity: </td> +<td>Important</td> +</tr> +<tr class="b"><td>Vendor: </td> +<td>The Apache Software Foundation</td> +</tr> +<tr class="a"><td>Versions Effected:</td> +<td> Jetspeed 2.3.0</td> +</tr> +<tr class="b"><td>Mitigation:</td> +<td>2.3.0 users should upgrade to 2.3.1</td> +</tr> +<tr class="a"><td>Credit:</td> +<td>This issue was discovered by Andreas Lindh</td> +</tr> +<tr class="b"><td>References:</td> +<td>http://tomcat.apache.org/security.html</td> +</tr> +</table> +<h4>Description:</h4> +<p>The Jetspeed User Manager service, part of the Jetspeed Administrative Portlets, is vulnerable to SQL injection. When performing a search in these tools, the 'user' and 'role' parameters of the request can be injected to alter the logic of the subsequent SQL statement. + </p> +<p>There is also an authorization flaw at play here since the above URLs can be reached without being authenticated in Jetspeed.</p> +<h4>Example</h4> +<p> + Given this URL:<br /> +<div class="source"><pre>http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=json&results=10&start=0&sort=userName&dir=asc&name=&roles=foo%27%20</pre> +</div> + + The 'role' parameter contains the value "foo" which is not an existing role, but because of the injected SQL code (or '1'='1') the statement returns true anyway and all the existing users are shown. + </p> +</div> +<a name="CVE-2016-0711"></a><div class="section"><h3><a name="CVE-2016-0711:_Persistent_Cross_Site_Scripting_in_links_pages_and_folders"></a>CVE-2016-0711: Persistent Cross Site Scripting in links, pages and folders</h3> +<table class="bodyTable"><tr class="a"><td>Severity: </td> +<td>Important</td> +</tr> +<tr class="b"><td>Vendor: </td> +<td>The Apache Software Foundation</td> +</tr> +<tr class="a"><td>Versions Effected:</td> +<td> Jetspeed 2.2.0 to 2.2.2</td> +</tr> +<tr class="b"><td></td> +<td>Jetspeed 2.3.0</td> +</tr> +<tr class="a"><td>The unsupported Jetspeed 2.1.x versions may be also affected</td> +</tr> +<tr class="b"><td>Mitigation:</td> +<td>2.2.0 - 2.3.0 users should upgrade to 2.3.1</td> +</tr> +<tr class="a"><td>Credit:</td> +<td>This issue was discovered by Andreas Lindh</td> +</tr> +<tr class="b"><td>References:</td> +<td>http://tomcat.apache.org/security.html</td> +</tr> +</table> +<h4>Description:</h4> +<p>The functionality to add a link, page, or folder, is vulnerable to persistent Cross Site Scripting. This is because it is possible to include HTML tags in the object's name, such as is the example below where a page object is being renamed after creation. + </p> +<h4>Example</h4> +<p> + Given this AJAX request:<br /> +<div class="source"><pre> +POST /jetspeed/services/pagemanagement/info/.psml/_user/andreas/foobar.psml? +_type=json HTTP/1.1 +Host: 192.168.2.4:8080 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 +Firefox/43.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Referer: http://192.168.2.4:8080/jetspeed/ui/_user/andreas/foobar.psml +Content-Length: 60 +Cookie: JSESSIONID=F95E2034A086BE172EF816FF2C853BE9; +JS2TOOLBOX=TAB=theme&CAT=Administration +Connection: close +title=foobar</a></li><script>alert(document.domain)</script> + </pre> +</div> +</p> +<p>Which results in the following content in the server response:<br /> +<div class="source"><pre> +<meta http-equiv="content-type" content="text/html; charset=UTF-8"/> +<title>foobar</a></li><script>alert(document.domain)</script></title> + </pre> +</div> +<p>Note that this code will be executed every time someone visits that space.</p> +</p> +</div> +<a name="CVE-2016-0712"></a><div class="section"><h3><a name="CVE-2016-0712:_Reflected_Cross_Site_Scripting_in_URI_path"></a>CVE-2016-0712: Reflected Cross Site Scripting in URI path</h3> +<table class="bodyTable"><tr class="a"><td>Severity: </td> +<td>Important</td> +</tr> +<tr class="b"><td>Vendor: </td> +<td>The Apache Software Foundation</td> +</tr> +<tr class="a"><td>Versions Effected:</td> +<td> Jetspeed 2.2.0 to 2.2.2</td> +</tr> +<tr class="b"><td></td> +<td>Jetspeed 2.3.0</td> +</tr> +<tr class="a"><td>The unsupported Jetspeed 2.1.x versions may be also affected</td> +</tr> +<tr class="b"><td>Mitigation:</td> +<td>2.2.0 - 2.3.0 users should upgrade to 2.3.1</td> +</tr> +<tr class="a"><td>Credit:</td> +<td>This issue was discovered by Andreas Lindh</td> +</tr> +<tr class="b"><td>References:</td> +<td>http://tomcat.apache.org/security.html</td> +</tr> +</table> +<h4>Description:</h4> +<p> + The URI path directory after /portal is vulnerable to reflected Cross Site Scripting. By visiting the following URL, a JavaScript pop-up will appear when the mouse is moved over the minimize/maximize buttons (may differ for different UI versions). + Note this issue is only reproduced on Firefox browser. + </p> +<h4>Example</h4> +<p> + Given this URL:<br /> +<div class="source"><pre> +http://192.168.2.9:8080/jetspeed/portal/foo%22onmouseover%3d%22alert%281%29?URL=foo/bar + </pre> +</div> +</p> +<p>In the HTML response there is script:<br /> +<div class="source"><pre> +<a href="http://192.168.2.4:8080/jetspeed/portal/_ns:..._/foo"onmouseover="alert(1)" +title="Minimize" class="action portlet-action" ><img src="/jetspeed/decorations/images/minimized.gif" alt="Minimize" border="0"/></a> + </pre> +</div> +</p> +</div> +</div> + + </div> + </div> + <div class="clear"> + <hr/> + </div> + <div id="footer"> + <div class="xright">© + 2004-2016 + + Apache Software Foundation + + + + + + + + + </div> + <div class="clear"> + <hr/> + </div> + </div> + </body> +</html>
Modified: portals/site-live/jetspeed-2/supporting-projects.html URL: http://svn.apache.org/viewvc/portals/site-live/jetspeed-2/supporting-projects.html?rev=1733524&r1=1733523&r2=1733524&view=diff ============================================================================== --- portals/site-live/jetspeed-2/supporting-projects.html (original) +++ portals/site-live/jetspeed-2/supporting-projects.html Thu Mar 3 21:05:35 2016 @@ -42,7 +42,7 @@ <div class="xleft"> - Last Published: 28 July 2015 + Last Published: 3 March 2016 </div> <div class="xright"> <a href="http://portals.apache.org/applications/"; class="externalLink">Applications</a> | @@ -90,6 +90,10 @@ <li class="none"> <a href="roadmap.html">Roadmap</a> </li> + + <li class="none"> + <a href="security-reports.html">Security Reports</a> + </li> </ul> <h5>Get Jetspeed</h5> <ul> @@ -283,7 +287,7 @@ </div> <div id="footer"> <div class="xright">© - 2004-2015 + 2004-2016 Apache Software Foundation Modified: portals/site-live/jetspeed-2/who-uses-j2.html URL: http://svn.apache.org/viewvc/portals/site-live/jetspeed-2/who-uses-j2.html?rev=1733524&r1=1733523&r2=1733524&view=diff ============================================================================== --- portals/site-live/jetspeed-2/who-uses-j2.html (original) +++ portals/site-live/jetspeed-2/who-uses-j2.html Thu Mar 3 21:05:35 2016 @@ -42,7 +42,7 @@ <div class="xleft"> - Last Published: 28 July 2015 + Last Published: 3 March 2016 </div> <div class="xright"> <a href="http://portals.apache.org/applications/"; class="externalLink">Applications</a> | @@ -90,6 +90,10 @@ <li class="none"> <a href="roadmap.html">Roadmap</a> </li> + + <li class="none"> + <a href="security-reports.html">Security Reports</a> + </li> </ul> <h5>Get Jetspeed</h5> <ul> @@ -356,7 +360,7 @@ We are using Spring very intesively as w </div> <div id="footer"> <div class="xright">© - 2004-2015 + 2004-2016 Apache Software Foundation
