Dan Haywood created ISIS-884:
--------------------------------
Summary: ErrorPage vulnerable to XSS attacks.
Key: ISIS-884
URL: https://issues.apache.org/jira/browse/ISIS-884
Project: Isis
Issue Type: Bug
Components: Viewer: Wicket
Affects Versions: viewer-wicket-1.6.0
Reporter: Dan Haywood
Assignee: Dan Haywood
Priority: Blocker
Fix For: viewer-wicket-1.7.0
The default error page (org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage)
is vulnerable to XSS via
org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel
In the constructor of ExceptionStackTracePanel, it adds a Label with the
exception message and calls setEscapeModelStrings(false)
This means any URL that a URL be constructed to reference an entity with
Javascript inserted where the OID should be and an exception is thrown with the
Javascript code inserted in to the message.
This is then written to the page un-escaped to be executed in the users session.
It is made worse by the bookmarkable feature (I think that's what does this),
where an attacker can navigate to a crafted URL on a user's PC, if they don't
close all of their browser windows before the session times out, when they log
in they will be redirected to the crafted URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
