[
https://issues.apache.org/jira/browse/JSPWIKI-67?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12554292
]
cristian borlovan commented on JSPWIKI-67:
------------------------------------------
test
On 11/28/07 1:39 PM, "Cristian Borlovan (JIRA)" <[EMAIL PROTECTED]> wrote:
> Ounce Labs Security Finding: Input Validation - Reflected XSS editors
> ----------------------------------------------------------------------
>
> Key: JSPWIKI-67
> URL: https://issues.apache.org/jira/browse/JSPWIKI-67
> Project: JSPWiki
> Issue Type: Bug
> Components: Default template
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Dirk Frederickx
> Priority: Critical
> Fix For: 2.6.0
>
> Attachments: report.pdf
>
>
> Description: The editor related functionality contains a variety of different
> reflected XSS attacks. Please see below for the specific XSS detected.
> 1. FCK.jsp - The "pageAsHtml" parameter is used without validation/output
> encoding. Also, note that this parameter is already embedded within existing
> <script></script> tags. An attacker would not need to inject these strings to
> successfully exploit this XSS.
> 2. WikiWizard.jsp/FCK.jsp - The "link" parameter is used directly without
> validation/output encoding.. Note this parameter is set via the Edit.jsp and
> used throughout all Editors.
> * Attack URL:
> http://localhost:8080/JSPWiki/Comment.jsp?page=JOJO&link=";><script>alert(document.cookie);</script>&preview=something
> 3. WikiWizard.jsp/plain.jsp - The "Accept-Language:" header is used directly
> without validation/output encoding.
> * Attack HTTP Payload:
> GET
> http://localhost:8080/JSPWiki/Edit.jsp?page=FOO&editor=WikiWizard&user=foo
> HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8)
> Gecko/20071008 Firefox/2.0.0.8
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: "><script>alert(document.cookie);</script>
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Cookie: JSPWikiAssertedName=127.0.0.1; JSPWikiSearchBox=favorites;
> JSESSIONID=44B8881F5C94CE828FDDF9F4B139FA24
> If-Modified-Since: Thu, 01 Nov 2007 19:47:12 GMT
> 4. WikiWizard.jsp/plain.jsp - Also note there is potential for the
> "attString" to contain malicious payload here since it is not output encoded.
> However, the likelihood is reduced as it appears that the attachment process
> will validate the filename attributes at some level. However, it is
> recommended that it be output encoded here as well to further decrease the
> XSS potentials.
> 5. The editor drop down list is constructed without validation and outputs
> whatever value the user injects.
> * Attack URL:
> http://localhost:8080/JSPWiki/Edit.jsp?page=FOO&editor=<script>alert(document.cookie);</script>
> Recommendation: Output Encode the value rendered to the user. Use the
> "TextUtil.replaceEntities()" method. In cases where the data is already
> rendered within existing script tags, consider very strong input validation
> and even removing this exclusion within existing script tags.
> Related Code Locations:
> 1 findings:
> Name: com.ecyrd.jspwiki.tags.EditorTag.doEndTag():int
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorTag.java
> Line / Col: 66 / 0
> Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() .
> javax.servlet.jsp.JspWriter.println ( new java.lang.StringBuilder .
> java.lang.StringBuilder.append("Unable to find editor '") .
> java.lang.StringBuilder.append(editorPath) .
> java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString() )
> -----------------------------------
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
