Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-67

Ounce Labs Security Finding: Input Validation - Reflected XSS editors


    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.104
    • Fix Version/s: 2.6.0
    • Component/s: Templates and UI
    • Labels:


      Description: The editor related functionality contains a variety of different reflected XSS attacks. Please see below for the specific XSS detected.

      1. FCK.jsp - The "pageAsHtml" parameter is used without validation/output encoding. Also, note that this parameter is already embedded within existing <script></script> tags. An attacker would not need to inject these strings to successfully exploit this XSS.

      2. WikiWizard.jsp/FCK.jsp - The "link" parameter is used directly without validation/output encoding.. Note this parameter is set via the Edit.jsp and used throughout all Editors.

      3. WikiWizard.jsp/plain.jsp - The "Accept-Language:" header is used directly without validation/output encoding.

      • Attack HTTP Payload:
        GET http://localhost:8080/JSPWiki/Edit.jsp?page=FOO&editor=WikiWizard&user=foo HTTP/1.1
        Host: localhost:8080
        User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20071008 Firefox/
        Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
        Accept-Language: "><script>alert(document.cookie);</script>
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 300
        Proxy-Connection: keep-alive
        Cookie: JSPWikiAssertedName=; JSPWikiSearchBox=favorites; JSESSIONID=44B8881F5C94CE828FDDF9F4B139FA24
        If-Modified-Since: Thu, 01 Nov 2007 19:47:12 GMT

      4. WikiWizard.jsp/plain.jsp - Also note there is potential for the "attString" to contain malicious payload here since it is not output encoded. However, the likelihood is reduced as it appears that the attachment process will validate the filename attributes at some level. However, it is recommended that it be output encoded here as well to further decrease the XSS potentials.

      5. The editor drop down list is constructed without validation and outputs whatever value the user injects.

      Recommendation: Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method. In cases where the data is already rendered within existing script tags, consider very strong input validation and even removing this exclusion within existing script tags.

      Related Code Locations:
      1 findings:
      Name: com.ecyrd.jspwiki.tags.EditorTag.doEndTag():int
      Type: Vulnerability.CrossSiteScripting
      Severity: High
      Classification: Vulnerability
      File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorTag.java
      Line / Col: 66 / 0
      Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println ( new java.lang.StringBuilder . java.lang.StringBuilder.append("Unable to find editor '") . java.lang.StringBuilder.append(editorPath) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString() )


        1. report.pdf
          30 kB
          Cristian Borlovan



            • Assignee:
              brushed brushed
              cristian.borlovan@ouncelabs.com Cristian Borlovan
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: