[JSPWIKI-63] Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding - ASF JIRA

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.104
Fix Version/s: 2.6.0
Component/s: Templates and UI
Labels:
None

Description

Description:
The following tags are observed to render contents directly to the pageContext without Output Encoding. It may be possible for XSS to occur in each of these tags.

Recommendation:
Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

Related Code Locations:
13 findings:
Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
Type: Vulnerability.Validation.EncodingRequired
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
Line / Col: 288 / 0
Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
") . java.lang.StringBuilder.toString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.CookieTag.doEndTag():int
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CookieTag.java
Line / Col: 181 / 0
Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.print ( out )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.EditorIteratorTag.doAfterBody():int
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorIteratorTag.java
Line / Col: 112 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
Type: Vulnerability.Validation.EncodingRequired
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
Line / Col: 288 / 0
Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
") . java.lang.StringBuilder.toString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
Type: Vulnerability.Validation.EncodingRequired
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
Line / Col: 288 / 0
Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
") . java.lang.StringBuilder.toString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.AttachmentsIteratorTag.doAfterBody():int
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\AttachmentsIteratorTag.java
Line / Col: 127 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
Type: Vulnerability.Validation.EncodingRequired
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
Line / Col: 288 / 0
Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
") . java.lang.StringBuilder.toString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.SearchResultIteratorTag.doAfterBody():int
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\SearchResultIteratorTag.java
Line / Col: 133 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.IteratorTag.doAfterBody():int
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IteratorTag.java
Line / Col: 142 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
Type: Vulnerability.Validation.EncodingRequired
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
Line / Col: 288 / 0
Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
") . java.lang.StringBuilder.toString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.HistoryIteratorTag.doAfterBody():int
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\HistoryIteratorTag.java
Line / Col: 112 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.LinkTag.doEndTag():int
Type: Vulnerability.Validation.EncodingRequired
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\LinkTag.java
Line / Col: 425 / 0
Context: out . java.io.Writer.write ( linktext )
Notes:
-----------------------------------
Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
Type: Vulnerability.Validation.EncodingRequired
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
Line / Col: 288 / 0
Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
") . java.lang.StringBuilder.toString() )
Notes:
-----------------------------------

Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding

Details

Description

Attachments

Attachments

Activity

People

Dates