You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by "Stefan Wegener (Jira)" <ji...@apache.org> on 2020/06/09 13:43:00 UTC

[jira] [Created] (ISIS-2373) Upload attachment: Preview vulnerable to XSS for html-attachments

Stefan Wegener created ISIS-2373:
------------------------------------

             Summary: Upload attachment: Preview vulnerable to XSS for html-attachments
                 Key: ISIS-2373
                 URL: https://issues.apache.org/jira/browse/ISIS-2373
             Project: Isis
          Issue Type: Bug
          Components: Isis Viewer Wicket
    Affects Versions: 1.17.0
            Reporter: Stefan Wegener
         Attachments: isis-xss-1.png, isis-xss-2.png

First of all: I am not sure if the topic is placed here correctly as it might only affect the wicket-Dependency that isis is using. But: As the current wicket-version (7.9.0) that is used by isis is vulnerable to it, I should be relevant to you.

 

I created the following HTML-document named xss_box.html:
{code:java}
<html>
<script language="JavaScript"> 
    window.alert("Sometext");
</script>
<head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
</head>
<body>...</body>
</html>
{code}
When selecting this document for an upload, usually a preview of the content will be shown. In this case the client uploading the file executes the javascript code and gets a modified preview content, as you can see in my attached images.

 

I do not know if later wicket-versions (currently the newest version is 7.16.0) are protected against this threat.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)