You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@isis.apache.org by "Stefan Wegener (Jira)" <ji...@apache.org> on 2020/06/09 13:43:00 UTC
[jira] [Created] (ISIS-2373) Upload attachment: Preview vulnerable
to XSS for html-attachments
Stefan Wegener created ISIS-2373:
------------------------------------
Summary: Upload attachment: Preview vulnerable to XSS for html-attachments
Key: ISIS-2373
URL: https://issues.apache.org/jira/browse/ISIS-2373
Project: Isis
Issue Type: Bug
Components: Isis Viewer Wicket
Affects Versions: 1.17.0
Reporter: Stefan Wegener
Attachments: isis-xss-1.png, isis-xss-2.png
First of all: I am not sure if the topic is placed here correctly as it might only affect the wicket-Dependency that isis is using. But: As the current wicket-version (7.9.0) that is used by isis is vulnerable to it, I should be relevant to you.
I created the following HTML-document named xss_box.html:
{code:java}
<html>
<script language="JavaScript">
window.alert("Sometext");
</script>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
</head>
<body>...</body>
</html>
{code}
When selecting this document for an upload, usually a preview of the content will be shown. In this case the client uploading the file executes the javascript code and gets a modified preview content, as you can see in my attached images.
I do not know if later wicket-versions (currently the newest version is 7.16.0) are protected against this threat.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)