[
https://issues.apache.org/jira/browse/CXF-8672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17506053#comment-17506053
]
Colm O hEigeartaigh commented on CXF-8672:
------------------------------------------
[~Chandra.Jhala] I can't reproduce the problem. If you try these exact steps do
you reproduce it?
I downloaded CXF 3.4.6 and started "mvn -Pserver" in
apache-cxf-3.4.6/samples/jax_rs/description_swagger2. Then I went here:
[http://localhost:9000/app/services/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Esz2q2/services/]
There is no alert though. Can you validate these steps?
> CXF /services page causing vulnerable to a reflected Cross-Site Scripting
> (XSS) attack in latest and Older CXF version
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-8672
> URL: https://issues.apache.org/jira/browse/CXF-8672
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.5, 3.5.1
> Environment: Java -11
> Windows
> Reporter: chandra
> Priority: Blocker
> Attachments: Screenshot 2022-03-09 at 12.49.05.png,
> image-2022-03-09-17-56-45-811.png, image-2022-03-10-12-13-36-176.png, web.xml
>
>
> {color:#172b4d}we're creating a JAX-WS endpoint based on our implementation
> class. We have attached our web.xml file and our beans.xml file where we are
> exposing our services param.{color}
> {color:#172b4d}we found out that while listing our services endpoint using
> CXF servlet we are facing security issues.{color}
> {color:#172b4d}Actually we have a URL:-{color}
> {color:#172b4d} URL
> [http://localhost:8080/app/services/{+}";><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
> and the XSS vulnerability is working fine in this. It is giving error when
> we add <script> tag in URL which contains domains name or cookie and it
> should be work in this way.{color}
> {color:#172b4d}But as soon as we enter "/services" at last place in URL(see
> below){color}
> {color:#172b4d}URL
> [http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [/services/{+}"><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}
> {color:#172b4d} it will list down wadl services which are exposed. In this
> case it should throw error. "/services" is handled by CXF servlet in web.xml.
> We looked into CXF sites and found that it is known bug in CXF library which
> was not fixed in latest cxf version too e.g. 3.5.1.{color}
> {color:#172b4d}This URL is OK
> -[http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
> [/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]- >
> giver wadl{color}
> {color:#172b4d}This URL is
> OK-{+}[http://|http://localhost:8080/SpatialServerManager/services/]
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2{+}
> -> gives error as "No services found" handling <script> tag as XSS
> protection.{color}
> {color:#172b4d}But this URL is not OK and it should be fixed by CXF library -
> +[http://|http://localhost:8080/SpatialServerManager/services/]
> [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]
>
> [/services/|http://localhost:8080/SpatialServerManager/services/]";><script>alert(document.domain)</script>sz2q2/services+
> ->gives wadl{color}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
