You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "Florian Holeczek (JIRA)" <ji...@apache.org> on 2011/09/11 01:35:10 UTC

[jira] [Closed] (JSPWIKI-65) Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter

     [ https://issues.apache.org/jira/browse/JSPWIKI-65?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Florian Holeczek closed JSPWIKI-65.
-----------------------------------


> Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter
> --------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-65
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-65
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Cristian Borlovan
>            Assignee: Janne Jalkanen
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: The Include Tag may print out an error message containing user input.  Even though it is highly unlikely that this will contain malicious payload (since the logic only executes if page is null), best practices indicate using the standard output encoding routine to sanitize the data. Note this particular vulnerability may be triggered, via the use of the Include Tag, from 16 different vectors.
> For example, "skin=<script>alert(document.cookie);</script>" might be attempted to be injected and the code were changed in the future to not check if null.
> Recommendation: Output Encode the value rendered to the user.  Use the "TextUtil.replaceEntities()" method.
> Related Code Locations: 
> 16 vectors to:
>   Name:           com.ecyrd.jspwiki.tags.IncludeTag.doEndTag():int
>   Type:           Vulnerability.CrossSiteScripting.Reflected
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IncludeTag.java
>   Line / Col:     79 / 0
>   Context:        this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.println ( new java.lang.StringBuilder . java.lang.StringBuilder.append("No template file called '") . java.lang.StringBuilder.append(this.m_page) . java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString() )
>     -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira