[JSPWIKI-68] Ounce Labs Security Finding: Input Validation - Reflected XSS preview - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.104
Fix Version/s: 2.6.0
Component/s: None
Labels:
None

Description

Description:
1. The preview.jsp uses the "action" parameter directly without validation/output encoding.
2. The PreviewContent.jsp will output the edited text directly without output encoding.

Recommendation:
Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.

Related Code Locations:
5 findings:
Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.CrossSiteScripting
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
Line / Col: 22 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( session . javax.servlet.http.HttpSession.getAttribute("author") )
-----------------------------------
Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.CrossSiteScripting
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
Line / Col: 23 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( session . javax.servlet.http.HttpSession.getAttribute("link") )
-----------------------------------
Name: JSPWiki_2_4_104.templates.default_.PreviewContent_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\PreviewContent.jsp
Line / Col: 12 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( getEditedText(pageContext) )
-----------------------------------
Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.CrossSiteScripting
Severity: High
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
Line / Col: 30 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( request . javax.servlet.ServletRequest.getRemoteAddr() )
-----------------------------------
Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
Type: Vulnerability.CrossSiteScripting
Severity: Medium
Classification: Vulnerability
File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
Line / Col: 24 / 0
Context: out . javax.servlet.jsp.JspWriter.print ( session . javax.servlet.http.HttpSession.getAttribute("remember") )
-----------------------------------

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

report.pdf
28/Nov/07 20:45
32 kB
Cristian Borlovan

Activity

People

Assignee:: Janne Jalkanen

Reporter:: Cristian Borlovan

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 28/Nov/07 20:44

Updated:: 10/Sep/11 23:33

Resolved:: 05/Dec/07 19:42