[
https://issues.apache.org/jira/browse/CXF-8672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17503375#comment-17503375
]
chandra edited comment on CXF-8672 at 3/9/22, 10:34 AM:
--------------------------------------------------------
Hi Colm,
We have projects as "app" and in that we have services which will list down all
the wadl's which we have exposed for users. like this.
!image-2022-03-09-13-38-58-622.png!
Now as soon as we enter something in<script> tag like this
!image-2022-03-09-13-42-02-067.png!
it gives me valid result no service was found as script tag was handled by XSS
protection in response headers.
But the issue lies here when we add /services again in url after script tag
like this
!image-2022-03-09-13-43-17-906.png!
in this cases it should not show wadl. It should give error because even if we
add /services at last place in URL it should not work.
In web.xml file we are using cxf servlet which is using /services
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
we checked this in 3.5.1 and in 3.4.5 this problem occur.
We saw there were some issue raised regarding this but we havn't found fix.
[https://github.com/advisories/GHSA-f93p-f762-vr53]
[https://cxf.apache.org/docs/servlet-transport.html]
was (Author: JIRAUSER286324):
Hi Colm,
We have projects as "SpatialServerManager" and in that we have services which
will list down all the wadl's which we have exposed for users. like this.
!image-2022-03-09-13-38-58-622.png!
Now as soon as we enter somthiing in<script> tag like this
!image-2022-03-09-13-42-02-067.png!
it gives me valid result no service was found as script tag was handled by XSS
protection in response headers.
But the issue lies here when we add /services again in url after script tag
like this
!image-2022-03-09-13-43-17-906.png!
in this cases it should not show wadl. It should give error because even if we
add /services at last place in URL it should not work.
In web.xml file we are using cxf servlet which is using /services
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
we checked this in 3.5.1 and in 3.4.5 this problem occur.
We saw there were some issue raised regarding this but we havn't found fix.
[https://github.com/advisories/GHSA-f93p-f762-vr53]
[https://cxf.apache.org/docs/servlet-transport.html]
> CXF /services page causing vulnerable to a reflected Cross-Site Scripting
> (XSS) attack in latest and Older CXF version
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-8672
> URL: https://issues.apache.org/jira/browse/CXF-8672
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.5, 3.5.1
> Environment: Java -11
> Windows
> Reporter: chandra
> Priority: Blocker
> Attachments: beans.xml, web.xml
>
>
> {color:#172b4d}we're creating a JAX-WS endpoint based on our implementation
> class. We have attached our web.xml file and our beans.xml file where we are
> exposing our services param.{color}
> {color:#172b4d}we found out that while listing our services endpoint using
> CXF servlet we are facing security issues.{color}
> {color:#172b4d}Actually we have a URL:-{color}
> {color:#172b4d} URL
> [http://localhost:8080/app/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
> and the XSS vulnerability is working fine in this. It is giving error when
> we add <script> tag in URL which contains domains name or cookie and it
> should be work in this way.{color}
> {color:#172b4d}But as soon as we enter "/services" at last place in URL(see
> below){color}
> {color:#172b4d}URL
> [http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [/services/{+}"><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}
> {color:#172b4d} it will list down wadl services which are exposed. In this
> case it should throw error. "/services" is handled by CXF servlet in web.xml.
> We looked into CXF sites and found that it is known bug in CXF library which
> was not fixed in latest cxf version too e.g. 3.5.1.{color}
> {color:#172b4d}This URL is OK
> -[http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
> [/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]- >
> giver wadl{color}
> {color:#172b4d}This URL is
> OK-{+}[http://|http://localhost:8080/SpatialServerManager/services/]
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2{+}
> -> gives error as "No services found" handling <script> tag as XSS
> protection.{color}
> {color:#172b4d}But this URL is not OK and it should be fixed by CXF library -
> +[http://|http://localhost:8080/SpatialServerManager/services/]
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2/services+
> ->gives wadl{color}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
