JSPWiki
  1. JSPWiki
  2. JSPWIKI-63

Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.104
    • Fix Version/s: 2.6.0
    • Component/s: Default template
    • Labels:
      None

      Description

      Description:
      The following tags are observed to render contents directly to the pageContext without Output Encoding. It may be possible for XSS to occur in each of these tags.

      Recommendation:
      Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

      Related Code Locations:
      13 findings:
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CookieTag.doEndTag():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CookieTag.java
      Line / Col: 181 / 0
      Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.print ( out )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.EditorIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorIteratorTag.java
      Line / Col: 112 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.AttachmentsIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\AttachmentsIteratorTag.java
      Line / Col: 127 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.SearchResultIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\SearchResultIteratorTag.java
      Line / Col: 133 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.IteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IteratorTag.java
      Line / Col: 142 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.HistoryIteratorTag.doAfterBody():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\HistoryIteratorTag.java
      Line / Col: 112 / 0
      Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.LinkTag.doEndTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\LinkTag.java
      Line / Col: 425 / 0
      Context: out . java.io.Writer.write ( linktext )
      Notes:
      -----------------------------------
      Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
      Type: Vulnerability.Validation.EncodingRequired
      Severity: Medium
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
      Line / Col: 288 / 0
      Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
      ") . java.lang.StringBuilder.toString() )
      Notes:
      -----------------------------------

      1. report.pdf
        34 kB
        Cristian Borlovan

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            brushed
            Reporter:
            Cristian Borlovan
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development