Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-64

Ounce Labs Security Finding: Input Validation - Reflected XSS Edit

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Invalid
    • 2.4.104
    • 2.6.0
    • None
    • None

    Description

      Description:
      The Edit.jsp will use a variety of different request parameters directly without validation and set session attributes with this tainted data. Later in different application components (JSPs) these values will be used directly (sometimes without proper output encoding). It is recommended that these values be properly validated prior to setting them into the session as attributes.

      Example 1: link is used as a hidden field from the session attribute directly, which is set in Edit.jsp
      Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp

      Recommendation:
      Validate each parameter prior to setting the value into the session attribute. Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

      Related Code Locations:
      9 findings:
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 169 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 92 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
      -----------------------------------
      Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
      Line / Col: 75 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Validation.Required
      Severity: High
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 43 / 0
      Context: request . javax.servlet.ServletRequest.getParameter ( "htmlPageText" )
      -----------------------------------
      Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
      Type: Vulnerability.Info
      Severity: Info
      Classification: Type II
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
      Line / Col: 171 / 0
      Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
      -----------------------------------

      Attachments

        1. report.pdf
          36 kB
          Cristian Borlovan

        Activity

          People

            jalkanen Janne Jalkanen
            cristian.borlovan@ouncelabs.com Cristian Borlovan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: