[CVE-2016-0712] Apache Jetspeed information disclosure vulnerability

[David S Taylor <da...@bluesunrise.com>]

CVE-2016-0712:  Reflected Cross Site Scripting in URI path

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected

Description:
The URI path directory after /portal is vulnerable to reflected Cross Site Scripting. By visiting the following URL, a JavaScript pop-up will appear when the mouse is moved over the minimize/maximize buttons (may differ for different UI versions).
Note this issue is only reproduced on Firefox browser.

Mitigation:
2.2.0 - 2.3.0 users should upgrade to 2.3.1

Example:
Given this URL:
http://192.168.2.9:8080/jetspeed/portal/foo%22onmouseover%3d%22alert%281%29?URL=foo/bar

In the HTML response there is script:
<a href="http://192.168.2.4:8080/jetspeed/portal/_ns:YXRlbXBsYXRlLXRvcDJfX3BhZ2UtdGVtcGxhdGVfX2pzbWluLTJfX2pzbWluLTN8ZDA_/foo"onmouseover="alert(1)"
title="Minimize" class="action portlet-action" ><img src="/jetspeed/decorations/images/minimized.gif" alt="Minimize" border="0"/></a>


Credit:
This issue was discovered by Andreas Lindh

References:
http://tomcat.apache.org/security.html


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org