[jira] [Commented] (CXF-8672) CXF /services page causing vulnerable to a reflected Cross-Site Scripting (XSS) attack in latest and Older CXF version

Tue, 08 Mar 2022 22:53:07 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-8672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17503332#comment-17503332
 ] 

chandra commented on CXF-8672:
------------------------------

we need a fix for this issue because once we enter /services in last part of 
URL it is listing down wadl services and that is vulnerable.

> CXF /services page causing vulnerable to a reflected Cross-Site Scripting 
> (XSS) attack in latest and Older CXF version
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8672
>                 URL: https://issues.apache.org/jira/browse/CXF-8672
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.5, 3.5.1
>         Environment: Java -11
> Windows
>            Reporter: chandra
>            Priority: Blocker
>         Attachments: beans.xml, web.xml
>
>
> {color:#172b4d}we're creating a JAX-WS endpoint based on our implementation 
> class. We have attached our web.xml file and our beans.xml file where we are 
> exposing our services param.{color}
> {color:#172b4d}we found out that while listing our services endpoint using 
> CXF servlet we are facing security issues.{color}
> {color:#172b4d}Actually we have a URL:-{color}
> {color:#172b4d} URL 
> [http://tro-sps-qa17-ss:8080/SpatialServerManager/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  and the XSS vulnerability is working fine in this. It is giving error when 
> we add <script> tag in URL which contains domains name or cookie and it 
> should be work in this way.{color}
> {color:#172b4d}But as soon as we enter "/services" at last place in URL(see 
> below){color}
> {color:#172b4d}URL 
> [http://tro-sps-qa17-ss:8080/SpatialServerManager/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}
> {color:#172b4d} it will list down wadl services which are exposed. In this 
> case it should throw error. "/services" is handled by CXF servlet in web.xml. 
> We looked into CXF sites and found that it is known bug in CXF library which 
> was not fixed in latest cxf version too e.g. 3.5.1.{color}
> {color:#172b4d}This URL is OK 
> -[http://localhost:8080/SpatialServerManager/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]
>  -> giver wadl{color}
> {color:#172b4d}This URL is 
> OK-{+}[http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2{+}
>  -> gives error as "No services found" handling <script> tag as XSS 
> protection.{color}
> {color:#172b4d}But this URL is not OK and it should be fixed by CXF library - 
> +[http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2/services+
>  ->gives wadl{color}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to