Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Invalid
-
2.4.104
-
None
-
None
Description
Description:
The Edit.jsp will use a variety of different request parameters directly without validation and set session attributes with this tainted data. Later in different application components (JSPs) these values will be used directly (sometimes without proper output encoding). It is recommended that these values be properly validated prior to setting them into the session as attributes.
Example 1: link is used as a hidden field from the session attribute directly, which is set in Edit.jsp
Example 2: remember is used as a hidden field here in Edit.jsp, it is set in Comment.jsp
Recommendation:
Validate each parameter prior to setting the value into the session attribute. Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.
Related Code Locations:
9 findings:
Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Validation.Required
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
Line / Col: 92 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
-----------------------------------
Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Validation.Required
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
Line / Col: 75 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
-----------------------------------
Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Validation.Required
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
Line / Col: 169 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
-----------------------------------
Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Info
Severity: Info
Classification: Type II
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
Line / Col: 169 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
-----------------------------------
Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Validation.Required
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
Line / Col: 171 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
-----------------------------------
Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Info
Severity: Info
Classification: Type II
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
Line / Col: 92 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "_editedtext", getEditedText(pageContext) )
-----------------------------------
Name: JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Validation.Required
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
Line / Col: 75 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "link", link )
-----------------------------------
Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Validation.Required
Severity: High
Classification: Type II
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
Line / Col: 43 / 0
Context: request . javax.servlet.ServletRequest.getParameter ( "htmlPageText" )
-----------------------------------
Name: JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.Info
Severity: Info
Classification: Type II
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
Line / Col: 171 / 0
Context: session . javax.servlet.http.HttpSession.setAttribute ( "author", user )
-----------------------------------