Uploaded image for project: 'DeltaSpike'
  1. DeltaSpike
  2. DELTASPIKE-1389

Sanitizing of dswid imperfect (XSS, security)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.9.1
    • 1.9.2
    • JSF-Module
    • Security Level: public (Regular issues)

    Description

      Despide that it was improving inĀ https://issues.apache.org/jira/browse/DELTASPIKE-1307, the sanitizing of the dswid parameter is still imperfect.

      PoC: request a page with "xzy.jsf?dswid=',danger,'" will render "danger" as variable into the javascript code.

      Solution: Instead of filtering "(", "<" and "&" as a black list attempt which is not recommended by the OWASP, only numeric characters and "-" should be allowed as white list approach.

      Attachments

        Activity

          People

            struberg Mark Struberg
            mwalliczek Matthias Walliczek
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: