You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@isis.apache.org by "Dan Haywood (JIRA)" <ji...@apache.org> on 2014/10/09 14:22:33 UTC
[jira] [Commented] (ISIS-884) ErrorPage vulnerable to XSS attacks.
[ https://issues.apache.org/jira/browse/ISIS-884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14165073#comment-14165073 ]
Dan Haywood commented on ISIS-884:
----------------------------------
Just to confirm, 1.7.0 (getting close to release) will be released for JDK 1.6.
But 1.8.0, to follow, will be JDK 1.7.
> ErrorPage vulnerable to XSS attacks.
> ------------------------------------
>
> Key: ISIS-884
> URL: https://issues.apache.org/jira/browse/ISIS-884
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Priority: Blocker
> Fix For: viewer-wicket-1.7.0
>
>
> The default error page (org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage) is vulnerable to XSS via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel
> In the constructor of ExceptionStackTracePanel, it adds a Label with the exception message and calls setEscapeModelStrings(false)
> This means any URL that a URL be constructed to reference an entity with Javascript inserted where the OID should be and an exception is thrown with the Javascript code inserted in to the message.
> This is then written to the page un-escaped to be executed in the users session.
> It is made worse by the bookmarkable feature (I think that's what does this), where an attacker can navigate to a crafted URL on a user's PC, if they don't close all of their browser windows before the session times out, when they log in they will be redirected to the crafted URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)