You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "chandra (Jira)" <ji...@apache.org> on 2022/03/09 10:35:00 UTC

[jira] [Comment Edited] (CXF-8672) CXF /services page causing vulnerable to a reflected Cross-Site Scripting (XSS) attack in latest and Older CXF version

    [ https://issues.apache.org/jira/browse/CXF-8672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17503375#comment-17503375 ] 

chandra edited comment on CXF-8672 at 3/9/22, 10:34 AM:
--------------------------------------------------------

Hi Colm,

We have projects as "app" and in that we have services which will list down all the wadl's which we have exposed for users. like this.

!image-2022-03-09-13-38-58-622.png!

Now as soon as we enter something in<script> tag like this

!image-2022-03-09-13-42-02-067.png!

 

it gives me valid result no service was found as script tag was handled by XSS protection in response headers.

 

But the issue lies here when we add /services again in url after script tag like this

!image-2022-03-09-13-43-17-906.png!

in this cases it should not show wadl. It should give error because even if we add /services at last place in URL it should not work.

 

In web.xml file we are using cxf servlet which is using /services

 <servlet-mapping>
        <servlet-name>CXFServlet</servlet-name>
        <url-pattern>/services/*</url-pattern>
   </servlet-mapping>

we checked this in 3.5.1 and in 3.4.5 this problem occur. 

 

We saw there were some issue raised regarding this but we havn't found fix.

 

[https://github.com/advisories/GHSA-f93p-f762-vr53]

[https://cxf.apache.org/docs/servlet-transport.html]

 

 

 

 


was (Author: JIRAUSER286324):
Hi Colm,

We have projects as "SpatialServerManager" and in that we have services which will list down all the wadl's which we have exposed for users. like this.

!image-2022-03-09-13-38-58-622.png!

Now as soon as we enter somthiing in<script> tag like this

!image-2022-03-09-13-42-02-067.png!

 

it gives me valid result no service was found as script tag was handled by XSS protection in response headers.

 

But the issue lies here when we add /services again in url after script tag like this

!image-2022-03-09-13-43-17-906.png!

in this cases it should not show wadl. It should give error because even if we add /services at last place in URL it should not work.

 

In web.xml file we are using cxf servlet which is using /services

 <servlet-mapping>
        <servlet-name>CXFServlet</servlet-name>
        <url-pattern>/services/*</url-pattern>
   </servlet-mapping>

we checked this in 3.5.1 and in 3.4.5 this problem occur. 

 

We saw there were some issue raised regarding this but we havn't found fix.

 

[https://github.com/advisories/GHSA-f93p-f762-vr53]

[https://cxf.apache.org/docs/servlet-transport.html]

 

 

 

 

> CXF /services page causing vulnerable to a reflected Cross-Site Scripting (XSS) attack in latest and Older CXF version
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8672
>                 URL: https://issues.apache.org/jira/browse/CXF-8672
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.5, 3.5.1
>         Environment: Java -11
> Windows
>            Reporter: chandra
>            Priority: Blocker
>         Attachments: beans.xml, web.xml
>
>
> {color:#172b4d}we're creating a JAX-WS endpoint based on our implementation class. We have attached our web.xml file and our beans.xml file where we are exposing our services param.{color}
> {color:#172b4d}we found out that while listing our services endpoint using CXF servlet we are facing security issues.{color}
> {color:#172b4d}Actually we have a URL:-{color}
> {color:#172b4d} URL [http://localhost:8080/app/services/{+}"><script>{+}alert(document.domain){+}</script>sz2q2{+}|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services] and the XSS vulnerability is working fine in this. It is giving error when we add <script> tag in URL which contains domains name or cookie and it should be work in this way.{color}
> {color:#172b4d}But as soon as we enter "/services" at last place in URL(see below){color}
> {color:#172b4d}URL [http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services] [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services] [/services/{+}"><script>{+}alert(document.domain){+}</script>sz2q2{+}/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services]{color}
> {color:#172b4d} it will list down wadl services which are exposed. In this case it should throw error. "/services" is handled by CXF servlet in web.xml. We looked into CXF sites and found that it is known bug in CXF library which was not fixed in latest cxf version too e.g. 3.5.1.{color}
> {color:#172b4d}This URL is OK -[http://|http://tro-sps-qa17-ss:8080/SpatialServerManager/services] [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services] [/services|http://tro-sps-qa17-ss:8080/SpatialServerManager/services]- > giver wadl{color}
> {color:#172b4d}This URL is OK-{+}[http://|http://localhost:8080/SpatialServerManager/services/] [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services] [/services/|http://localhost:8080/SpatialServerManager/services/]"><script>alert(document.domain)</script>sz2q2{+} -> gives error as "No services found" handling <script> tag as XSS protection.{color}
> {color:#172b4d}But this URL is not OK and it should be fixed by CXF library - +[http://|http://localhost:8080/SpatialServerManager/services/] [localhost:8080/app|http://tro-sps-qa17-ss:8080/SpatialServerManager/services/%22%3e%3cscript%3ealert(document.domain)%3c/script%3esz2q2/services] [/services/|http://localhost:8080/SpatialServerManager/services/]"><script>alert(document.domain)</script>sz2q2/services+ ->gives wadl{color}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)