[jira] [Closed] (JSPWIKI-70) Ounce Labs Security Finding: Input Validation - Unchecked Redirect Leads To Phishing Attach Servlet

Sat, 10 Sep 2011 16:35:36 -0700 

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-70?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Florian Holeczek closed JSPWIKI-70.
-----------------------------------


> Ounce Labs Security Finding: Input Validation - Unchecked Redirect Leads To 
> Phishing Attach Servlet
> ---------------------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-70
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-70
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: 
> The attachment servlet uses a "nextpage" parameter to determine where the 
> user is redirected to after the attachment process completes.  This  nextpage 
>  parameter is not validated to ensure that the user is not redirected outside 
> the context of the application.  If an attacker can trick a victim into 
> interacting with and posting his malicious "nextpage" parameter, the victim 
> will be redirect to the attacker-controlled site, leading to potential 
> phishing attacks.  The victim would see that the original request goes to the 
> appropriate JSPWiki location (http://localhost:8080/JSPWiki/attach) and not 
> realize he was maliciously redirected.
> Exploit HTTP POST: 
> 1. Note the "nextpage" value contains a value outside the web context of this 
> application and could be that of a malicious location.
> POST http://localhost:8080/JSPWiki/attach HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) 
> Gecko/20071008 Firefox/2.0.0.8
> Accept: 
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://localhost:8080/JSPWiki/Upload.jsp?page=Main
> Cookie: JSPWikiAssertedName=127.0.0.1; 
> JSESSIONID=285A5DB7AAE9476B56A653FDCB77C9B7
> Content-Type: multipart/form-data; 
> boundary=---------------------------2132026317541759772579111
> Content-Length: 813
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="page"
> Main
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="content"; filename="test3"
> Content-Type: application/octet-stream
> test
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="upload"
> Upload
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="action"
> upload
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="changenote"
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="nextpage"
> http://www.ouncelabs.com
> -----------------------------2132026317541759772579111--
> Recommendation: 
> Validate that the "nextpage" value is that of an acceptable location.  For 
> example, maybe it should be confined the host running the JSPWiki site, or 
> even compared to that of list of valid redirection/host locations.
> Related Code Locations: 
> 4 findings:
>   Name:           
> com.ecyrd.jspwiki.attachment.AttachmentServlet.doPost(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
>   Line / Col:     414 / 0
>   Context:        res . javax.servlet.http.HttpServletResponse.sendRedirect ( 
> nextPage )
>     -----------------------------------
>   Name:           
> com.ecyrd.jspwiki.attachment.AttachmentServlet.upload(javax.servlet.http.HttpServletRequest):java.lang.String
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
>   Line / Col:     493 / 0
>   Context:        req . javax.servlet.ServletRequest.getContentType ()
>     -----------------------------------
>   Name:           
> com.ecyrd.jspwiki.attachment.AttachmentServlet.doGet(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
>   Line / Col:     299 / 0
>   Context:        res . javax.servlet.http.HttpServletResponse.sendRedirect ( 
> nextPage )
>     -----------------------------------
>   Name:           
> com.ecyrd.jspwiki.attachment.AttachmentServlet.doPost(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
>   Line / Col:     422 / 0
>   Context:        res . javax.servlet.http.HttpServletResponse.sendRedirect ( 
> e . com.ecyrd.jspwiki.filters.RedirectException.getRedirect() )
>     -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to