JSPWiki
  1. JSPWiki
  2. JSPWIKI-64

Ounce Labs Security Finding: Input Validation - Reflected XSS Edit

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Invalid
    • Affects Version/s: 2.4.104
    • Fix Version/s: 2.6.0
    • Component/s: None
    • Labels:
      None

      Description

      Description:
      The Edit.jsp will use a variety of different request parameters directly without validation and set session attributes with this tainted data. Later in different application components (JSPs) these values will be used directly (sometimes without proper output encoding). It is recommended that these values be properly validated prior to setting them into the session as attributes.

      Example 1: link is used as a hidden field from the session attribute directly, which is set in Edit.jsp
      Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp

      Recommendation:
      Validate each parameter prior to setting the value into the session attribute. Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

      Related Code Locations:
      9 findings:
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 43 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "htmlPageText" )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------

      1. report.pdf
        36 kB
        Cristian Borlovan

        Activity

        Hide
        Janne Jalkanen added a comment -

        Public now, since fixed.

        Show
        Janne Jalkanen added a comment - Public now, since fixed.
        Hide
        Janne Jalkanen added a comment -

        As far as I can tell, none of these are valid. We need the original data in most cases without encoded, so it's fine.

        Any validation should be done when the data is used.

        Show
        Janne Jalkanen added a comment - As far as I can tell, none of these are valid. We need the original data in most cases without encoded, so it's fine. Any validation should be done when the data is used.
        Hide
        Janne Jalkanen added a comment -

        Blocks 2.6. Some of these are not valid.

        I'll take it... sigh

        Show
        Janne Jalkanen added a comment - Blocks 2.6. Some of these are not valid. I'll take it... sigh

          People

          • Assignee:
            Janne Jalkanen
            Reporter:
            Cristian Borlovan
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development