You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@deltaspike.apache.org by "Markus 'md' Drenger (JIRA)" <ji...@apache.org> on 2018/01/09 09:52:02 UTC

[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java

    [ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16318153#comment-16318153 ] 

Markus 'md' Drenger commented on DELTASPIKE-1307:
-------------------------------------------------

also thx to Alexander Druffel who discovered it. I built the PoC and reported it.
And, as Gerhard pointed out, exploitation is depending on additional js-scripts, e.g. short variables or functions.

> Deltaspike JSF: XSS WindowIdHtmlRenderer.java
> ---------------------------------------------
>
>                 Key: DELTASPIKE-1307
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307
>             Project: DeltaSpike
>          Issue Type: Bug
>          Components: JSF-Module
>    Affects Versions: 1.8.0
>         Environment: any
>            Reporter: Markus 'md' Drenger
>            Assignee: Mark Struberg
>            Priority: Blocker
>              Labels: security
>             Fix For: 1.8.1
>
>
> 10 chars ough to be enough for XSS.
> Try escaping your variables.
> https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
> Line 80
> PoC
> dswid='-open()-'



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)