[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java
[ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16318153#comment-16318153 ] Markus 'md' Drenger commented on DELTASPIKE-1307: - also thx to Alexander Druffel who discovered it. I built the PoC and reported it. And, as Gerhard pointed out, exploitation is depending on additional js-scripts, e.g. short variables or functions. > Deltaspike JSF: XSS WindowIdHtmlRenderer.java > - > > Key: DELTASPIKE-1307 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module >Affects Versions: 1.8.0 > Environment: any >Reporter: Markus 'md' Drenger >Assignee: Mark Struberg >Priority: Blocker > Labels: security > Fix For: 1.8.1 > > > 10 chars ough to be enough for XSS. > Try escaping your variables. > https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java > Line 80 > PoC > dswid='-open()-' -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java
[ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16307209#comment-16307209 ] Gerhard Petracek commented on DELTASPIKE-1307: -- @md: fyi: if you think 10 chars are enough (to do more than useless calls), you can change the max-length via JsfBaseConfig.ScopeCustomization.WindowRestriction.ID_MAX_LENGTH (since the beginning...). the default-value is 10 because in the discussion back than it was excepted as secure enough (in case you don't ship harmful scripts in your own app), however, it's great to have the addition from mark! > Deltaspike JSF: XSS WindowIdHtmlRenderer.java > - > > Key: DELTASPIKE-1307 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module >Affects Versions: 1.8.0 > Environment: any >Reporter: md >Assignee: Mark Struberg >Priority: Blocker > Labels: security > Fix For: 1.8.1 > > > 10 chars ough to be enough for XSS. > Try escaping your variables. > https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java > Line 80 > PoC > dswid='-open()-' -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java
[ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16306701#comment-16306701 ] ASF subversion and git services commented on DELTASPIKE-1307: - Commit d95abe8c01d256da2ce0a5a88f4593138156a4e5 in deltaspike's branch refs/heads/master from [~struberg] [ https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;h=d95abe8 ] DELTASPIKE-1307 improve sanitise windowId Also guard against html injection > Deltaspike JSF: XSS WindowIdHtmlRenderer.java > - > > Key: DELTASPIKE-1307 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module >Affects Versions: 1.8.0 > Environment: any >Reporter: md >Assignee: Mark Struberg >Priority: Blocker > Labels: security > > 10 chars ough to be enough for XSS. > Try escaping your variables. > https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java > Line 80 > PoC > dswid='-open()-' -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java
[ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16299906#comment-16299906 ] ASF subversion and git services commented on DELTASPIKE-1307: - Commit 72e607f3be66c30c72b32c24b44e9deaa8e54608 in deltaspike's branch refs/heads/master from [~struberg] [ https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;h=72e607f ] DELTASPIKE-1307 sanitise windowId against JavaScript injection > Deltaspike JSF: XSS WindowIdHtmlRenderer.java > - > > Key: DELTASPIKE-1307 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module >Affects Versions: 1.8.0 > Environment: any >Reporter: md >Assignee: Mark Struberg >Priority: Blocker > Labels: security > > 10 chars ough to be enough for XSS. > Try escaping your variables. > https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java > Line 80 > PoC > dswid='-open()-' -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java
[ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16299078#comment-16299078 ] ASF subversion and git services commented on DELTASPIKE-1307: - Commit 4e2502358526b944fc5514c206d306e97ff271bb in deltaspike's branch refs/heads/master from [~struberg] [ https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;h=4e25023 ] DELTASPIKE-1307 escape windowId txs to md for the catch! > Deltaspike JSF: XSS WindowIdHtmlRenderer.java > - > > Key: DELTASPIKE-1307 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module >Affects Versions: 1.8.0 > Environment: any >Reporter: md >Assignee: Mark Struberg >Priority: Blocker > Labels: security > > 10 chars ough to be enough for XSS. > Try escaping your variables. > https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java > Line 80 > PoC > dswid='-open()-' -- This message was sent by Atlassian JIRA (v6.4.14#64029)