[jira] [Commented] (CXF-8672) CXF /services page causing vulnerable to a reflected Cross-Site Scripting (XSS) attack in latest and Older CXF version

Wed, 09 Mar 2022 22:43:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-8672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17504029#comment-17504029
 ] 

chandra commented on CXF-8672:
------------------------------

Response:- 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
"http://www.w3.org/TR/html4/loose.dtd";>
<HTML>
    <HEAD>
        <LINK type="text/css" rel="stylesheet" href="/app/services/">
        <script>
            alert(document.domain)
        </script>
        sz2q2/services/?stylesheet=1"><meta http-equiv="content-type" 
content="text/html; charset=UTF-8">
        <title>CXF - Service list</title>
    </head>
    <body>
        <span class="heading">Available RESTful services:</span>
        <br/>
        <table cellpadding="1" cellspacing="1" border="1" width="100%">
            <tr>
                <td>
                    <span class="field">Endpoint address:</span>
                    <span 
class="value">http://localhost:8080/app/services/rest</span>
                    <br/>
                    <span class="field">WADL :</span>
                    <a 
href="http://localhost:8080/app/services/rest?_wadl";>http://localhost:8080/app/services/rest?_wadl</a>
                </td>
            </tr>
        </table>
    </body>
</html>

> CXF /services page causing vulnerable to a reflected Cross-Site Scripting 
> (XSS) attack in latest and Older CXF version
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8672
>                 URL: https://issues.apache.org/jira/browse/CXF-8672
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.5, 3.5.1
>         Environment: Java -11
> Windows
>            Reporter: chandra
>            Priority: Blocker
>         Attachments: Screenshot 2022-03-09 at 12.49.05.png, 
> image-2022-03-09-17-56-45-811.png, web.xml
>
>
> {color:#172b4d}we're creating a JAX-WS endpoint based on our implementation 
> class. We have attached our web.xml file and our beans.xml file where we are 
> exposing our services param.{color}
> {color:#172b4d}we found out that while listing our services endpoint using 
> CXF servlet we are facing security issues.{color}
> {color:#172b4d}Actually we have a URL:-{color}
> {color:#172b4d} URL 
> [http://localhost:8080/app/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  and the XSS vulnerability is working fine in this. It is giving error when 
> we add <script> tag in URL which contains domains name or cookie and it 
> should be work in this way.{color}
> {color:#172b4d}But as soon as we enter "/services" at last place in URL(see 
> below){color}
> {color:#172b4d}URL 
> [http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [/services/{+}"><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}
> {color:#172b4d} it will list down wadl services which are exposed. In this 
> case it should throw error. "/services" is handled by CXF servlet in web.xml. 
> We looked into CXF sites and found that it is known bug in CXF library which 
> was not fixed in latest cxf version too e.g. 3.5.1.{color}
> {color:#172b4d}This URL is OK 
> -[http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services] 
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  [/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]- > 
> giver wadl{color}
> {color:#172b4d}This URL is 
> OK-{+}[http://|http://localhost:8080/SpatialServerManager/services/] 
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2{+}
>  -> gives error as "No services found" handling <script> tag as XSS 
> protection.{color}
> {color:#172b4d}But this URL is not OK and it should be fixed by CXF library - 
> +[http://|http://localhost:8080/SpatialServerManager/services/] 
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>  
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2/services+
>  ->gives wadl{color}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to