You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Florian Holeczek (JIRA)" <ji...@apache.org> on 2011/09/11 01:35:10 UTC
[jira] [Closed] (JSPWIKI-63) Ounce Labs Security Finding: Input
Validation - XSS Tags Which Require Output Encoding
[ https://issues.apache.org/jira/browse/JSPWIKI-63?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Holeczek closed JSPWIKI-63.
-----------------------------------
> Ounce Labs Security Finding: Input Validation - XSS Tags Which Require Output Encoding
> --------------------------------------------------------------------------------------
>
> Key: JSPWIKI-63
> URL: https://issues.apache.org/jira/browse/JSPWIKI-63
> Project: JSPWiki
> Issue Type: Bug
> Components: Default template
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Dirk Frederickx
> Priority: Critical
> Fix For: 2.6.0
>
> Attachments: report.pdf
>
>
> Description:
> The following tags are observed to render contents directly to the pageContext without Output Encoding. It may be possible for XSS to occur in each of these tags.
> Recommendation:
> Output Encode the value rendered to the user. Use the "TextUtil.replaceEntities()" method.
> Related Code Locations:
> 13 findings:
> Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
> Type: Vulnerability.Validation.EncodingRequired
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
> Line / Col: 288 / 0
> Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.CookieTag.doEndTag():int
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CookieTag.java
> Line / Col: 181 / 0
> Context: this.pageContext . javax.servlet.jsp.PageContext.getOut() . javax.servlet.jsp.JspWriter.print ( out )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.EditorIteratorTag.doAfterBody():int
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\EditorIteratorTag.java
> Line / Col: 112 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
> Type: Vulnerability.Validation.EncodingRequired
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
> Line / Col: 288 / 0
> Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
> Type: Vulnerability.Validation.EncodingRequired
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
> Line / Col: 288 / 0
> Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.AttachmentsIteratorTag.doAfterBody():int
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\AttachmentsIteratorTag.java
> Line / Col: 127 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
> Type: Vulnerability.Validation.EncodingRequired
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
> Line / Col: 288 / 0
> Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.SearchResultIteratorTag.doAfterBody():int
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\SearchResultIteratorTag.java
> Line / Col: 133 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.IteratorTag.doAfterBody():int
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IteratorTag.java
> Line / Col: 142 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
> Type: Vulnerability.Validation.EncodingRequired
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
> Line / Col: 288 / 0
> Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.HistoryIteratorTag.doAfterBody():int
> Type: Vulnerability.CrossSiteScripting
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\HistoryIteratorTag.java
> Line / Col: 112 / 0
> Context: out . javax.servlet.jsp.JspWriter.print ( this.bodyContent . javax.servlet.jsp.tagext.BodyContent.getString() )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.LinkTag.doEndTag():int
> Type: Vulnerability.Validation.EncodingRequired
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\LinkTag.java
> Line / Col: 425 / 0
> Context: out . java.io.Writer.write ( linktext )
> Notes:
> -----------------------------------
> Name: com.ecyrd.jspwiki.tags.CalendarTag.doWikiStartTag():int
> Type: Vulnerability.Validation.EncodingRequired
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\CalendarTag.java
> Line / Col: 288 / 0
> Context: out . java.io.Writer.write ( new java.lang.StringBuilder . java.lang.StringBuilder.append("<tr>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(prevCal, "<<", queryString)) . java.lang.StringBuilder.append("<td colspan=5 class\"mont\">") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthLink(cal)) . java.lang.StringBuilder.append("</td>") . java.lang.StringBuilder.append(com.ecyrd.jspwiki.tags.CalendarTag.getMonthNaviLink(nextCal, ">>", queryString)) . java.lang.StringBuilder.append("</tr>
> ") . java.lang.StringBuilder.toString() )
> Notes:
> -----------------------------------
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira