You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Florian Holeczek (JIRA)" <ji...@apache.org> on 2011/09/11 01:35:10 UTC
[jira] [Closed] (JSPWIKI-68) Ounce Labs Security Finding: Input
Validation - Reflected XSS preview
[ https://issues.apache.org/jira/browse/JSPWIKI-68?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Holeczek closed JSPWIKI-68.
-----------------------------------
> Ounce Labs Security Finding: Input Validation - Reflected XSS preview
> ---------------------------------------------------------------------
>
> Key: JSPWIKI-68
> URL: https://issues.apache.org/jira/browse/JSPWIKI-68
> Project: JSPWiki
> Issue Type: Bug
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Janne Jalkanen
> Priority: Critical
> Fix For: 2.6.0
>
> Attachments: report.pdf
>
>
> Description:
> 1. The preview.jsp uses the "action" parameter directly without validation/output encoding.
> 2. The PreviewContent.jsp will output the edited text directly without output encoding.
> Recommendation:
> Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.
> Related Code Locations:
> 5 findings:
> Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.CrossSiteScripting
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
> Line / Col: 22 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( session . javax.servlet.http.HttpSession.getAttribute("author") )
> -----------------------------------
> Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.CrossSiteScripting
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
> Line / Col: 23 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( session . javax.servlet.http.HttpSession.getAttribute("link") )
> -----------------------------------
> Name: JSPWiki_2_4_104.templates.default_.PreviewContent_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\PreviewContent.jsp
> Line / Col: 12 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( getEditedText(pageContext) )
> -----------------------------------
> Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
> Line / Col: 30 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( request . javax.servlet.ServletRequest.getRemoteAddr() )
> -----------------------------------
> Name: JSPWiki_2_4_104.templates.default_.editors.preview_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.CrossSiteScripting
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\templates\default\editors\preview.jsp
> Line / Col: 24 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( session . javax.servlet.http.HttpSession.getAttribute("remember") )
> -----------------------------------
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira