[jira] [Updated] (CXF-8672) CXF /services page causing vulnerable to a reflected Cross-Site Scripting (XSS) attack in latest and Older CXF version

[chandra (Jira)]

     [ 
https://issues.apache.org/jira/browse/CXF-8672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

chandra updated CXF-8672:
-------------------------
    Description: 
{color:#172b4d}we're creating a JAX-WS endpoint based on our implementation 
class. We have attached our web.xml file and our beans.xml file where we are 
exposing our services param.{color}

{color:#172b4d}we found out that while listing our services endpoint using CXF 
servlet we are facing security issues.{color}

{color:#172b4d}Actually we have a URL:-{color}

{color:#172b4d} URL 
[http://localhost:8080/app/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
 and the XSS vulnerability is working fine in this. It is giving error when we 
add <script> tag in URL which contains domains name or cookie and it should be 
work in this way.{color}

{color:#172b4d}But as soon as we enter "/services" at last place in URL(see 
below){color}

{color:#172b4d}URL 
[http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
 
[localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
 
[/services/{+}"><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}

{color:#172b4d} it will list down wadl services which are exposed. In this case 
it should throw error. "/services" is handled by CXF servlet in web.xml. We 
looked into CXF sites and found that it is known bug in CXF library which was 
not fixed in latest cxf version too e.g. 3.5.1.{color}

{color:#172b4d}This URL is OK 
-[http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services] 
[localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
 [/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]- > giver 
wadl{color}
{color:#172b4d}This URL is 
OK-{+}[http://|http://localhost:8080/SpatialServerManager/services/] 
[localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
 
[/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2{+}
 -> gives error as "No services found" handling <script> tag as XSS 
protection.{color}

{color:#172b4d}But this URL is not OK and it should be fixed by CXF library - 
+[http://|http://localhost:8080/SpatialServerManager/services/] 
[localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
 
[/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2/services+
 ->gives wadl{color}

  was:
{color:#172b4d}we're creating a JAX-WS endpoint based on our implementation 
class. We have attached our web.xml file and our beans.xml file where we are 
exposing our services param.{color}

{color:#172b4d}we found out that while listing our services endpoint using CXF 
servlet we are facing security issues.{color}

{color:#172b4d}Actually we have a URL:-{color}

{color:#172b4d} URL 
[http://tro-sps-qa17-ss:8080/SpatialServerManager/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
 and the XSS vulnerability is working fine in this. It is giving error when we 
add <script> tag in URL which contains domains name or cookie and it should be 
work in this way.{color}

{color:#172b4d}But as soon as we enter "/services" at last place in URL(see 
below){color}

{color:#172b4d}URL 
[http://tro-sps-qa17-ss:8080/SpatialServerManager/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}

{color:#172b4d} it will list down wadl services which are exposed. In this case 
it should throw error. "/services" is handled by CXF servlet in web.xml. We 
looked into CXF sites and found that it is known bug in CXF library which was 
not fixed in latest cxf version too e.g. 3.5.1.{color}

{color:#172b4d}This URL is OK 
-[http://localhost:8080/SpatialServerManager/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]
 -> giver wadl{color}
{color:#172b4d}This URL is 
OK-{+}[http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2{+}
 -> gives error as "No services found" handling <script> tag as XSS 
protection.{color}

{color:#172b4d}But this URL is not OK and it should be fixed by CXF library - 
+[http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2/services+
 ->gives wadl{color}


> CXF /services page causing vulnerable to a reflected Cross-Site Scripting 
> (XSS) attack in latest and Older CXF version
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8672
>                 URL: https://issues.apache.org/jira/browse/CXF-8672
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.5, 3.5.1
>         Environment: Java -11
> Windows
>            Reporter: chandra
>            Priority: Blocker
>         Attachments: beans.xml, web.xml
>
>
> {color:#172b4d}we're creating a JAX-WS endpoint based on our implementation 
> class. We have attached our web.xml file and our beans.xml file where we are 
> exposing our services param.{color}
> {color:#172b4d}we found out that while listing our services endpoint using 
> CXF servlet we are facing security issues.{color}
> {color:#172b4d}Actually we have a URL:-{color}
> {color:#172b4d} URL 
> [http://localhost:8080/app/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  and the XSS vulnerability is working fine in this. It is giving error when 
> we add <script> tag in URL which contains domains name or cookie and it 
> should be work in this way.{color}
> {color:#172b4d}But as soon as we enter "/services" at last place in URL(see 
> below){color}
> {color:#172b4d}URL 
> [http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [/services/{+}"><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}
> {color:#172b4d} it will list down wadl services which are exposed. In this 
> case it should throw error. "/services" is handled by CXF servlet in web.xml. 
> We looked into CXF sites and found that it is known bug in CXF library which 
> was not fixed in latest cxf version too e.g. 3.5.1.{color}
> {color:#172b4d}This URL is OK 
> -[http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services] 
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  [/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]- > 
> giver wadl{color}
> {color:#172b4d}This URL is 
> OK-{+}[http://|http://localhost:8080/SpatialServerManager/services/] 
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2{+}
>  -> gives error as "No services found" handling <script> tag as XSS 
> protection.{color}
> {color:#172b4d}But this URL is not OK and it should be fixed by CXF library - 
> +[http://|http://localhost:8080/SpatialServerManager/services/] 
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2/services+
>  ->gives wadl{color}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)