Uploaded image for project: 'Causeway'
  1. Causeway
  2. CAUSEWAY-2373

Upload attachment: Preview vulnerable to XSS for html-attachments

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 1.17.0
    • 2.1.0
    • Viewer Wicket
    • None

    Description

      First of all: I am not sure if the topic is placed here correctly as it might only affect the wicket-Dependency that isis is using. But: As the current wicket-version (7.9.0) that is used by isis is vulnerable to it, I should be relevant to you.

       

      I created the following HTML-document named xss_box.html:

      <html>
<script language="JavaScript"> 
    window.alert("Sometext");
</script>
<head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
</head>
<body>...</body>
</html>

      When selecting this document for an upload, usually a preview of the content will be shown. In this case the client uploading the file executes the javascript code and gets a modified preview content, as you can see in my attached images.

       

      I do not know if later wicket-versions (currently the newest version is 7.16.0) are protected against this threat.

       

      Attachments

        1. isis-xss-1.png
          39 kB
          Stefan Wegener
        2. isis-xss-2.png
          14 kB
          Stefan Wegener

        Activity

          People

            Unassigned Unassigned
            stefanwegener Stefan Wegener
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: