Hi René, > Am 03.12.2014 um 16:39 schrieb René Bock <[email protected]>: > > Hi, > > during penetration test of his WebObjects servlet installation, one of our > customers found a potential XSS issue: > > Deployment environment: tomcat application server + apache mod-proxy > > Consider the following request: > > > http://custormer.serv.er/ServletContainerName/WebObjects/AppName.woa/wa/default > (1) > > If a malicious client changes "AppName" to something else, the following > request > > > http://custormer.serv.er/ServletContainerName/WebObjects/SomethingElse.woa/wa/default > (2) > > generates a similar response than request (1), except that in all webobjects > urls "AppName" is replaced by "SomethingElse" > > > > Now, if you are a bit mot malicious, you would replace AppName by > > > x%22%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%28%27Cross-Site%20Scripting%27%29%22%3E > > > et voilà, a wonderful alert panel appears (at least in FireFox) > > > To fix this issue, I checked that the application name provided in the > request uri matches the real application name: > > Application.java: > > @Override > public WOResponse dispatchRequest(WORequest aRequest) { > > String uri = aRequest.uri(); > String expectedApplicationPartInUri = > applicationBaseURL()+"/"+name()+((nameSuffix()!=null)?nameSuffix():"")+".woa"; > > if(uri == null || !uri.contains(expectedApplicationPartInUri)) { > log.error("failed to dispatch request: uri ["+uri+"] > does not match application name ["+expectedApplicationPartInUri+"]"); > WOResponse r404 = new WOResponse(); > r404.setStatus(404); > r404.setContent("The requested resource was not found > on this server."); > return r404;
You could write the previous 4 lines as:
return new ERXResponse("The requested resource was not found on this server.“,
ERXHttpStatusCodes.NOT_FOUND);
> }
>
> return super.dispatchRequest(aRequest);
> }
>
>
> Are there any suggestions to improve the code above? Shouldn't we fix this
> issue in core (aka erextensions)?
Adding that to ERXExtensions would not do any harm, though I probably would
cache the expectedApplicationPartInUri to not recalculate its value for every
request. If that logic is only needed for servlet deployment you should
probably place your improvement into ERXServletApplication which you should use
as parent class for your Application class.
jw
>
>
> Regards,
>
> René
>
>
>
> P.S.: for the requests above, only a classical deployment (apache +
> mod_webobjects) would have said:
>
> The requested application was not found on this server.
>
>
>
>
>
> --
> salient doremus
>
> salient GmbH
> Kontorhaus - Lindleystraße 12
> 60314 Frankfurt Main
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list ([email protected])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/jw%40oyosys.com
>
> This email sent to [email protected]
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
