JSPWiki
  1. JSPWiki
  2. JSPWIKI-63

Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.104
    • Fix Version/s: 2.6.0
    • Component/s: Default template
    • Labels:
      None

      Description

      Description:
      The following tags are observed to render contents directly to the pageContext without Output Encoding. It may be possible for XSS to occur in each of these tags.

      Recommendation:
      Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

      Related Code Locations:
      13 findings:
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CookieTag.doEndTag():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CookieTag.java
      Line / Col: 181 / 0
      Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.print ( out )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.EditorIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorIteratorTag.java
      Line / Col: 112 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.AttachmentsIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\AttachmentsIteratorTag.java
      Line / Col: 127 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.SearchResultIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\SearchResultIteratorTag.java
      Line / Col: 133 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.IteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IteratorTag.java
      Line / Col: 142 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.HistoryIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\HistoryIteratorTag.java
      Line / Col: 112 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.LinkTag.doEndTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\LinkTag.java
      Line / Col: 425 / 0
      Context: out . java.io.Writer.write ( linktext )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------

      1. report.pdf
        34 kB
        Cristian Borlovan

        Activity

        Cristian Borlovan created issue -
        Cristian Borlovan made changes -
        Field Original Value New Value
        Attachment report.pdf [ 12370434 ]
        Cristian Borlovan made changes -
        Summary Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding Finding Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding
        Hide
        Janne Jalkanen added a comment -

        Blocks 2.6. Who wants to take this one?

        Show
        Janne Jalkanen added a comment - Blocks 2.6. Who wants to take this one?
        Janne Jalkanen made changes -
        Fix Version/s 2.6.0 [ 12312828 ]
        Component/s Default template [ 12311993 ]
        brushed made changes -
        Assignee Dirk Frederickx [ brushed ]
        Hide
        brushed added a comment -

        Only a few things resolved. May need some more attention.

        CookieTag: no change required, the actual cookie value should be protected by the user of this tag.
        BTW, this tag is not used, should we keep this?

        EditorIteratorTag: has no direct print() functionalty; xss issues have been addressed in EditorManager

        CalendarTag: added a replaceEntities() around the parsing of query string in getMonthNaviLink()

        AttachmentsIteratorTag: the printing bodyContent() considered not harmfull.

        Other iterator tags ( SearchResultIteratorTag, IteratorTag, HistoryIteratorTag) not considered harmfull.

        dirk

        Show
        brushed added a comment - Only a few things resolved. May need some more attention. CookieTag: no change required, the actual cookie value should be protected by the user of this tag. BTW, this tag is not used, should we keep this? EditorIteratorTag: has no direct print() functionalty; xss issues have been addressed in EditorManager CalendarTag: added a replaceEntities() around the parsing of query string in getMonthNaviLink() AttachmentsIteratorTag: the printing bodyContent() considered not harmfull. Other iterator tags ( SearchResultIteratorTag, IteratorTag, HistoryIteratorTag) not considered harmfull. dirk
        brushed made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        brushed added a comment -

        Resolved some topics in v2.5.164

        Show
        brushed added a comment - Resolved some topics in v2.5.164
        brushed made changes -
        Resolution Fixed [ 1 ]
        Status In Progress [ 3 ] Resolved [ 5 ]
        Hide
        Janne Jalkanen added a comment -

        Public, since it has been fixed.

        Show
        Janne Jalkanen added a comment - Public, since it has been fixed.
        Janne Jalkanen made changes -
        Security Security Vulnerability Disclosure [ 10032 ]
        Florian Holeczek made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            brushed
            Reporter:
            Cristian Borlovan
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development