Uploaded image for project: 'Causeway'
  1. Causeway
  2. CAUSEWAY-884

ErrorPage vulnerable to XSS attacks.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • viewer-wicket-1.6.0
    • viewer-wicket-1.7.0
    • Viewer Wicket
    • None

    Description

      The default error page (org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage) is vulnerable to XSS via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel

      In the constructor of ExceptionStackTracePanel, it adds a Label with the exception message and calls setEscapeModelStrings(false)

      This means any URL that a URL be constructed to reference an entity with Javascript inserted where the OID should be and an exception is thrown with the Javascript code inserted in to the message.

      This is then written to the page un-escaped to be executed in the users session.

      It is made worse by the bookmarkable feature (I think that's what does this), where an attacker can navigate to a crafted URL on a user's PC, if they don't close all of their browser windows before the session times out, when they log in they will be redirected to the crafted URL.

      Attachments

        Activity

          People

            Unassigned Unassigned
            danhaywood Daniel Keir Haywood
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: