ISIS-883 and ISIS-884 now fixed in 1.7.0-SNAPSHOT; please see comments for ISIS-883 [1] and commit message for ISIS-884 [2]
[1] https://issues.apache.org/jira/browse/ISIS-883?focusedCommentId=14131180&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14131180 [2] https://issues.apache.org/jira/browse/ISIS-884?focusedCommentId=14130042&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14130042 On 10 September 2014 15:46, Dan Haywood <[email protected]> wrote: > OK, I've raised a ticket for this [1] (and one also for the other thread, > [2]) > > Dan > > [1] https://issues.apache.org/jira/browse/ISIS-884 > [2] https://issues.apache.org/jira/browse/ISIS-883 > > > > On 9 September 2014 00:34, Christopher Fairhall < > [email protected]> wrote: > >> Another issue our security review picked up was the default error page, >> org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage is vulnerable to XSS >> via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel >> >> In the constructor of ExceptionStackTracePanel, it adds a Label with the >> exception message and calls setEscapeModelStrings(false) >> >> This means any URL that a URL be constructed to reference an entity with >> Javascript inserted where the OID should be and an exception is thrown with >> the Javascript code inserted in to the message. >> >> This is then written to the page un-escaped to be executed in the users >> session. >> >> It is made worse by the bookmarkable feature (I think that's what does >> this), where an attacker can navigate to a crafted URL on a user's PC, if >> they don't close all of their browser windows before the session times out, >> when they log in they will be redirected to the crafted URL. >> >> >> ------------------------------- >> This email and any attachments may contain information that is >> confidential and subject to legal privilege. If you are not the intended >> recipient, any use, dissemination, distribution or duplication of this >> email and attachments is prohibited. If you have received this email in >> error please notify the author immediately and erase all copies of the >> email and attachments. The Ministry of Social Development accepts no >> responsibility for changes made to this message or attachments after >> transmission from the Ministry. >> >> ------------------------------- >> > >
