You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by Luc Hua <sh...@gmail.com> on 2021/08/16 22:33:39 UTC
Another XSS vulnerability of the same type as CVE-2017-17837
Good afternoon,
I'm a security researcher utilizing the CodeQL code analysis tool from
GitHub to run queries against open-source projects to check security
vulnerabilities.
When I checked CVE-2017-17837 "XSS injection leak in the windowId handling"
with the Apache DeltaSpike-JSF 1.8.0 module, I noticed a second issue of
the same category in the same program
<https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java>
:
Lines 98-99
(
https://github.com/apache/deltaspike/blob/4e2502358526b944fc5514c206d306e97ff271bb/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java#L98-L99)
have:
<code>
Cookie servletCookie = (Cookie) cookie;
writer.write(",'initialRedirectWindowId':'" +
secureWindowId(servletCookie.getValue())
+ "'");
</code>
As cookie value can be manipulated by end users and attackers therefore XSS
attacks can be injected there, shall <code>writer.write</code> be changed
to <code>writer.writeText</code> similar to the change on line 81 <code>
writer.writeText(windowId, null);</code>?
The webpage <https://deltaspike.apache.org/community.html> says I'd better
ask on the mailing list before submitting a Jira request. Please
investigate this issue and advise on whether this is a valid security
vulnerability and a Jira request shall be submitted or not.
Thanks,
luchua
Re: Another XSS vulnerability of the same type as CVE-2017-17837
Posted by Luc Hua <sh...@gmail.com>.
As I haven't received any advice, I'll open a Jira ticket directly.
On Mon, Aug 16, 2021 at 6:33 PM Luc Hua <sh...@gmail.com> wrote:
> Good afternoon,
>
> I'm a security researcher utilizing the CodeQL code analysis tool from
> GitHub to run queries against open-source projects to check security
> vulnerabilities.
>
> When I checked CVE-2017-17837 "XSS injection leak in the windowId
> handling" with the Apache DeltaSpike-JSF 1.8.0 module, I noticed a second
> issue of the same category in the same program
> <https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java>
> :
>
> Lines 98-99
> (
> https://github.com/apache/deltaspike/blob/4e2502358526b944fc5514c206d306e97ff271bb/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java#L98-L99)
> have:
> <code>
> Cookie servletCookie = (Cookie) cookie;
> writer.write(",'initialRedirectWindowId':'" + secureWindowId(servletCookie
> .getValue()) + "'");
> </code>
>
> As cookie value can be manipulated by end users and attackers therefore
> XSS attacks can be injected there, shall <code>writer.write</code> be
> changed to <code>writer.writeText</code> similar to the change on line 81
> <code>writer.writeText(windowId, null);</code>?
>
> The webpage <https://deltaspike.apache.org/community.html> says I'd
> better ask on the mailing list before submitting a Jira request. Please
> investigate this issue and advise on whether this is a valid security
> vulnerability and a Jira request shall be submitted or not.
>
> Thanks,
> luchua
>