JSPWiki
  1. JSPWiki
  2. JSPWIKI-64

Ounce Labs Security Finding: Input Validation - Reflected XSS Edit

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Invalid
    • Affects Version/s: 2.4.104
    • Fix Version/s: 2.6.0
    • Component/s: None
    • Labels:
      None

      Description

      Description:
      The Edit.jsp will use a variety of different request parameters directly without validation and set session attributes with this tainted data. Later in different application components (JSPs) these values will be used directly (sometimes without proper output encoding). It is recommended that these values be properly validated prior to setting them into the session as attributes.

      Example 1: link is used as a hidden field from the session attribute directly, which is set in Edit.jsp
      Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp

      Recommendation:
      Validate each parameter prior to setting the value into the session attribute. Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

      Related Code Locations:
      9 findings:
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 43 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "htmlPageText" )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------

      1. report.pdf
        36 kB
        Cristian Borlovan

        Activity

        Cristian Borlovan created issue -
        Cristian Borlovan made changes -
        Field Original Value New Value
        Description Description:
        The Edit.jsp will use a variety of different request parameters directly without validation and set session attributes with this tainted data. Later in different application components (JSPs) these values will be used directly (sometimes without proper output encoding). It is recommended that these values be properly validated prior to setting them into the session as attributes.

        Exmaple 1: link is used as a hidden field from the session attribute directly, which is set in Edit.jsp
        Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp

        Recommendation:
        Validate each parameter prior to setting the value into the session attribute. Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

        Related Code Locations:
        9 findings:
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 92 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
          Line / Col: 75 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 169 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Info
          Severity: Info
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 169 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 171 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Info
          Severity: Info
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 92 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
          Line / Col: 75 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 43 / 0
          Context: request . javax.servlet.ServletRequest.getParameter ( "htmlPageText" )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Info
          Severity: Info
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 171 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
           -----------------------------------
        Description:
        The Edit.jsp will use a variety of different request parameters directly without validation and set session attributes with this tainted data. Later in different application components (JSPs) these values will be used directly (sometimes without proper output encoding). It is recommended that these values be properly validated prior to setting them into the session as attributes.

        Example 1: link is used as a hidden field from the session attribute directly, which is set in Edit.jsp
        Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp

        Recommendation:
        Validate each parameter prior to setting the value into the session attribute. Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

        Related Code Locations:
        9 findings:
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 92 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
          Line / Col: 75 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 169 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Info
          Severity: Info
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 169 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 171 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Info
          Severity: Info
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 92 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
            -----------------------------------
          Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Vulnerability
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
          Line / Col: 75 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Validation.Required
          Severity: High
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 43 / 0
          Context: request . javax.servlet.ServletRequest.getParameter ( "htmlPageText" )
            -----------------------------------
          Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
          Type: Vulnerability.Info
          Severity: Info
          Classification: Type II
          File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
          Line / Col: 171 / 0
          Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
           -----------------------------------
        Cristian Borlovan made changes -
        Attachment report.pdf [ 12370438 ]
        Cristian Borlovan made changes -
        Summary Ounce Labs Security Finding: Input Validation - Reflected XSS Edit Finding Ounce Labs Security Finding: Input Validation - Reflected XSS Edit
        Hide
        Janne Jalkanen added a comment -

        Blocks 2.6. Some of these are not valid.

        I'll take it... sigh

        Show
        Janne Jalkanen added a comment - Blocks 2.6. Some of these are not valid. I'll take it... sigh
        Janne Jalkanen made changes -
        Assignee Janne Jalkanen [ jalkanen ]
        Fix Version/s 2.6.0 [ 12312828 ]
        Hide
        Janne Jalkanen added a comment -

        As far as I can tell, none of these are valid. We need the original data in most cases without encoded, so it's fine.

        Any validation should be done when the data is used.

        Show
        Janne Jalkanen added a comment - As far as I can tell, none of these are valid. We need the original data in most cases without encoded, so it's fine. Any validation should be done when the data is used.
        Janne Jalkanen made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Invalid [ 6 ]
        Hide
        Janne Jalkanen added a comment -

        Public now, since fixed.

        Show
        Janne Jalkanen added a comment - Public now, since fixed.
        Janne Jalkanen made changes -
        Security Security Vulnerability Disclosure [ 10032 ]
        Florian Holeczek made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        7d 22m 1 Janne Jalkanen 05/Dec/07 20:40
        Resolved Resolved Closed Closed
        1375d 2h 54m 1 Florian Holeczek 11/Sep/11 00:34

          People

          • Assignee:
            Janne Jalkanen
            Reporter:
            Cristian Borlovan
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development