Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-67

Ounce Labs Security Finding: Input Validation - Reflected XSS editors

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.4.104
    • 2.6.0
    • Templates and UI
    • None

    Description

      Description: The editor related functionality contains a variety of different reflected XSS attacks. Please see below for the specific XSS detected.

      1. FCK.jsp - The "pageAsHtml" parameter is used without validation/output encoding. Also, note that this parameter is already embedded within existing <script></script> tags. An attacker would not need to inject these strings to successfully exploit this XSS.

      2. WikiWizard.jsp/FCK.jsp - The "link" parameter is used directly without validation/output encoding.. Note this parameter is set via the Edit.jsp and used throughout all Editors.

      3. WikiWizard.jsp/plain.jsp - The "Accept-Language:" header is used directly without validation/output encoding.

      • Attack HTTP Payload:
        GET http://localhost:8080/JSPWiki/Edit.jsp?page=FOO&editor=WikiWizard&user=foo HTTP/1.1
        Host: localhost:8080
        User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
        Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
        Accept-Language: "><script>alert(document.cookie);</script>
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 300
        Proxy-Connection: keep-alive
        Cookie: JSPWikiAssertedName=127.0.0.1; JSPWikiSearchBox=favorites; JSESSIONID=44B8881F5C94CE828FDDF9F4B139FA24
        If-Modified-Since: Thu, 01 Nov 2007 19:47:12 GMT

      4. WikiWizard.jsp/plain.jsp - Also note there is potential for the "attString" to contain malicious payload here since it is not output encoded. However, the likelihood is reduced as it appears that the attachment process will validate the filename attributes at some level. However, it is recommended that it be output encoded here as well to further decrease the XSS potentials.

      5. The editor drop down list is constructed without validation and outputs whatever value the user injects.

      Recommendation: Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method. In cases where the data is already rendered within existing script tags, consider very strong input validation and even removing this exclusion within existing script tags.

      Related Code Locations:
      1 findings:
      Name: com.ecyrd.jspwiki.tags.EditorTag.doEndTag():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorTag.java
      Line / Col: 66 / 0
      Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println ( new java.lang.StringBuilder . java.lang.StringBuilder.append("Unable to find editor '") . java.lang.StringBuilder.append(editorPath) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString() )
      -----------------------------------

      Attachments

        1. report.pdf
          30 kB
          Cristian Borlovan

        Activity

          People

            brushed Dirk Frederickx
            cristian.borlovan@ouncelabs.com Cristian Borlovan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: