You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by "Markus 'md' Drenger (JIRA)" <ji...@apache.org> on 2018/01/09 09:52:02 UTC
[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS
WindowIdHtmlRenderer.java
[ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16318153#comment-16318153 ]
Markus 'md' Drenger commented on DELTASPIKE-1307:
-------------------------------------------------
also thx to Alexander Druffel who discovered it. I built the PoC and reported it.
And, as Gerhard pointed out, exploitation is depending on additional js-scripts, e.g. short variables or functions.
> Deltaspike JSF: XSS WindowIdHtmlRenderer.java
> ---------------------------------------------
>
> Key: DELTASPIKE-1307
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307
> Project: DeltaSpike
> Issue Type: Bug
> Components: JSF-Module
> Affects Versions: 1.8.0
> Environment: any
> Reporter: Markus 'md' Drenger
> Assignee: Mark Struberg
> Priority: Blocker
> Labels: security
> Fix For: 1.8.1
>
>
> 10 chars ough to be enough for XSS.
> Try escaping your variables.
> https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
> Line 80
> PoC
> dswid='-open()-'
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)