Another issue our security review picked up was the default error page, org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage is vulnerable to XSS via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel
In the constructor of ExceptionStackTracePanel, it adds a Label with the exception message and calls setEscapeModelStrings(false) This means any URL that a URL be constructed to reference an entity with Javascript inserted where the OID should be and an exception is thrown with the Javascript code inserted in to the message. This is then written to the page un-escaped to be executed in the users session. It is made worse by the bookmarkable feature (I think that's what does this), where an attacker can navigate to a crafted URL on a user's PC, if they don't close all of their browser windows before the session times out, when they log in they will be redirected to the crafted URL. ------------------------------- This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry. -------------------------------
