JSPWiki
  1. JSPWiki
  2. JSPWIKI-64

Ounce Labs Security Finding: Input Validation - Reflected XSS Edit

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Invalid
    • Affects Version/s: 2.4.104
    • Fix Version/s: 2.6.0
    • Component/s: None
    • Labels:
      None

      Description

      Description:
      The Edit.jsp will use a variety of different request parameters directly without validation and set session attributes with this tainted data. Later in different application components (JSPs) these values will be used directly (sometimes without proper output encoding). It is recommended that these values be properly validated prior to setting them into the session as attributes.

      Example 1: link is used as a hidden field from the session attribute directly, which is set in Edit.jsp
      Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp

      Recommendation:
      Validate each parameter prior to setting the value into the session attribute. Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

      Related Code Locations:
      9 findings:
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 43 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "htmlPageText" )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------

      1. report.pdf
        36 kB
        Cristian Borlovan

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Janne Jalkanen
            Reporter:
            Cristian Borlovan
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development