You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Joel Barciauskas (JIRA)" <ji...@apache.org> on 2010/06/08 18:49:11 UTC
[jira] Created: (WICKET-2907) XSS vulnerability when enabling
AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink
features
XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
------------------------------------------------------------------------------------------------------------
Key: WICKET-2907
URL: https://issues.apache.org/jira/browse/WICKET-2907
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.9
Reporter: Joel Barciauskas
When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (WICKET-2907) XSS vulnerability when
enabling AutomaticMultiWindowSupport and using AJAX and
BookmarkablePageLink features
Posted by "Joel Barciauskas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12876725#action_12876725 ]
Joel Barciauskas edited comment on WICKET-2907 at 6/8/10 12:55 PM:
-------------------------------------------------------------------
For anyone viewing this issue before it is resolved but are concerned about the possible impact, I believe changing your application to use a crypted URL strategy, e.g. adding this to your WicketApplication.java:
@Override
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor()
{
@Override
protected IRequestCodingStrategy newRequestCodingStrategy()
{
return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
}
};
}
Would prevent the issue, although it means bookmarkable URLs are only valid for the session within which they are generated (meaning, not really bookmarkable any more).
Other URL coding strategies may be applied to prevent this attack per bookmarkable page, but only the crypted URL strategy guarantees all links are safe.
was (Author: jbarciauskas):
For anyone viewing this issue before it is resolved but are concerned about the possible impact, I believe changing your application to use a crypted URL strategy, e.g. adding this to your WicketApplication.java:
@Override
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor()
{
@Override
protected IRequestCodingStrategy newRequestCodingStrategy()
{
return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
}
};
}
Would prevent the issue, although it means bookmarkable URLs are only valid for the session within which they are generated.
> XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> ------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2907) XSS vulnerability when enabling
AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink
features
Posted by "Joel Barciauskas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12876729#action_12876729 ]
Joel Barciauskas commented on WICKET-2907:
------------------------------------------
See WebPage$PageMapChecker, lines 147-165, in particular:
154: url = cycle.urlFor(redirect);
...
162: response.write("if (window.name=='' || (window.name.indexOf('wicket') > -1 && window.name!='" +
163: "wicket-" + name + "')) { window.location=\"");
164: response.write(url);
The string 'url' can contain characters that when written to the page, close the window.location line with a "; and then start printing whatever JS has been encoded in the rest of the URL
> XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> ------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (WICKET-2907) CSRF vulnerability when enabling
AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink
features
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg closed WICKET-2907.
---------------------------------
Assignee: Igor Vaynberg
Resolution: Cannot Reproduce
i tried to reproduce it but could not
first of all the link that was supposed to cause it was broken, it used the xsstest context while the quickstart runs in root, even after fixing the link the output to the browser was like this:
<script type="text/javascript" ><!--/*--><![CDATA[/*><!--*/
if (window.name=='' || (window.name.indexOf('wicket') > -1 && window.name!='wicket-wicket:default')) { window.location="?wicket:bookmarkablePage=wicket-3:foo.OtherPage&?9a58d%22%3Balert%28'we+are+now+executing+arbitrary+JS+sent+in+a+link'%29%3B%7D//53796d16013=1" + (window.location.hash != null ? window.location.hash : ""); }
/*-->]]>*/</script>
so your javascript snippet failed to produce the quote ( " ) character in order to close wicket's javascript. i have tested in IE8, ffox, chrome, and none executed the javascript.
please reopen when you can provide a working testcase, cheers.
> CSRF vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> -------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Assignee: Igor Vaynberg
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (WICKET-2907) XSS vulnerability when
enabling AutomaticMultiWindowSupport and using AJAX and
BookmarkablePageLink features
Posted by "Joel Barciauskas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12876725#action_12876725 ]
Joel Barciauskas edited comment on WICKET-2907 at 6/8/10 12:54 PM:
-------------------------------------------------------------------
For anyone viewing this issue before it is resolved but are concerned about the possible impact, I believe changing your application to use a crypted URL strategy, e.g. adding this to your WicketApplication.java:
@Override
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor()
{
@Override
protected IRequestCodingStrategy newRequestCodingStrategy()
{
return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
}
};
}
Would prevent the issue, although it means bookmarkable URLs are only valid for the session within which they are generated.
was (Author: jbarciauskas):
For anyone viewing this issue before it is resolved whom it might affect, I believe changing your application to use a crypted URL strategy, e.g. adding this to your WicketApplication.java:
@Override
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor()
{
@Override
protected IRequestCodingStrategy newRequestCodingStrategy()
{
return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
}
};
}
Would prevent the issue, although it means bookmarkable URLs are only valid for the session within which they are generated.
> XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> ------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-2907) XSS vulnerability when enabling
AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink
features
Posted by "Joel Barciauskas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joel Barciauskas updated WICKET-2907:
-------------------------------------
Attachment: xsstest.zip
Attaching a quickstart. While obviously no developer would embed a link in the application as I have done, a malicious person could send such a link to a user. The user could click this link and the attacker would then be able to execute javascript on behalf of the user.
> XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> ------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-2907) CSRF vulnerability when enabling
AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink
features
Posted by "Joel Barciauskas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joel Barciauskas updated WICKET-2907:
-------------------------------------
Summary: CSRF vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features (was: XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features)
> CSRF vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> -------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2907) XSS vulnerability when enabling
AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink
features
Posted by "Joel Barciauskas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12876725#action_12876725 ]
Joel Barciauskas commented on WICKET-2907:
------------------------------------------
For anyone viewing this issue before it is resolved whom it might affect, I believe changing your application to use a crypted URL strategy, e.g. adding this to your WicketApplication.java:
@Override
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor()
{
@Override
protected IRequestCodingStrategy newRequestCodingStrategy()
{
return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
}
};
}
Would prevent the issue, although it means bookmarkable URLs are only valid for the session within which they are generated.
> XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> ------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.