Hi Johann, thanks for the ERXResponse hint.
I'm not sure if the problem is restricted to servlet deployments. At least, all deployments relaying on direct connect are also affected. May be deployments with apache/mod_proxy are save, but I'm not aware of the art of the state mod_proxy rewriting rules... Unfortnatly I can't subclass ERXServletApplication... Am 03.12.2014 um 19:39 schrieb Johann Werner <[email protected]>: > Hi René, > >> Am 03.12.2014 um 16:39 schrieb René Bock <[email protected]>: >> >> Hi, >> >> during penetration test of his WebObjects servlet installation, one of our >> customers found a potential XSS issue: >> >> Deployment environment: tomcat application server + apache mod-proxy >> >> Consider the following request: >> >> >> http://custormer.serv.er/ServletContainerName/WebObjects/AppName.woa/wa/default >> (1) >> >> If a malicious client changes "AppName" to something else, the following >> request >> >> >> http://custormer.serv.er/ServletContainerName/WebObjects/SomethingElse.woa/wa/default >> (2) >> >> generates a similar response than request (1), except that in all webobjects >> urls "AppName" is replaced by "SomethingElse" >> >> >> >> Now, if you are a bit mot malicious, you would replace AppName by >> >> >> x%22%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%28%27Cross-Site%20Scripting%27%29%22%3E >> >> >> et voilà, a wonderful alert panel appears (at least in FireFox) >> >> >> To fix this issue, I checked that the application name provided in the >> request uri matches the real application name: >> >> Application.java: >> >> @Override >> public WOResponse dispatchRequest(WORequest aRequest) { >> >> String uri = aRequest.uri(); >> String expectedApplicationPartInUri = >> applicationBaseURL()+"/"+name()+((nameSuffix()!=null)?nameSuffix():"")+".woa"; >> >> if(uri == null || !uri.contains(expectedApplicationPartInUri)) { >> log.error("failed to dispatch request: uri ["+uri+"] >> does not match application name ["+expectedApplicationPartInUri+"]"); >> WOResponse r404 = new WOResponse(); >> r404.setStatus(404); >> r404.setContent("The requested resource was not found >> on this server."); >> return r404; > > You could write the previous 4 lines as: > > return new ERXResponse("The requested resource was not found on this > server.“, ERXHttpStatusCodes.NOT_FOUND); > >> } >> >> return super.dispatchRequest(aRequest); >> } >> >> >> Are there any suggestions to improve the code above? Shouldn't we fix this >> issue in core (aka erextensions)? > > Adding that to ERXExtensions would not do any harm, though I probably would > cache the expectedApplicationPartInUri to not recalculate its value for every > request. If that logic is only needed for servlet deployment you should > probably place your improvement into ERXServletApplication which you should > use as parent class for your Application class. > > jw > > >> >> >> Regards, >> >> René >> >> >> >> P.S.: for the requests above, only a classical deployment (apache + >> mod_webobjects) would have said: >> >> The requested application was not found on this server. >> >> >> >> >> >> -- >> salient doremus >> >> salient GmbH >> Kontorhaus - Lindleystraße 12 >> 60314 Frankfurt Main >> >> _______________________________________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list ([email protected]) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/mailman/options/webobjects-dev/jw%40oyosys.com >> >> This email sent to [email protected] Mit freundlichem Gruß, René Bock Software Engineering -- salient doremus salient GmbH Kontorhaus - Lindleystraße 12 60314 Frankfurt Main Fon +49 (0)69 - 650096 -0, Durchwahl: - 18, Fax: -70 http://www.salient.de http://www.doremus.com http://www.openforms.de http://www.mockabilly.com Geschäftsführer: Peter Biler, Alexander Gerling, Lars Ohlerich Amtsgericht Frankfurt Main, HRB 48693 // salient doremus gewinnt mit fsb.de den Red Dot Design Award 2013
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
