You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Florian Holeczek (JIRA)" <ji...@apache.org> on 2011/09/11 01:35:10 UTC
[jira] [Closed] (JSPWIKI-70) Ounce Labs Security Finding: Input
Validation - Unchecked Redirect Leads To Phishing Attach Servlet
[ https://issues.apache.org/jira/browse/JSPWIKI-70?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Holeczek closed JSPWIKI-70.
-----------------------------------
> Ounce Labs Security Finding: Input Validation - Unchecked Redirect Leads To Phishing Attach Servlet
> ---------------------------------------------------------------------------------------------------
>
> Key: JSPWIKI-70
> URL: https://issues.apache.org/jira/browse/JSPWIKI-70
> Project: JSPWiki
> Issue Type: Bug
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Priority: Critical
> Fix For: 2.6.0
>
> Attachments: report.pdf
>
>
> Description:
> The attachment servlet uses a "nextpage" parameter to determine where the user is redirected to after the attachment process completes. This nextpage parameter is not validated to ensure that the user is not redirected outside the context of the application. If an attacker can trick a victim into interacting with and posting his malicious "nextpage" parameter, the victim will be redirect to the attacker-controlled site, leading to potential phishing attacks. The victim would see that the original request goes to the appropriate JSPWiki location (http://localhost:8080/JSPWiki/attach) and not realize he was maliciously redirected.
> Exploit HTTP POST:
> 1. Note the "nextpage" value contains a value outside the web context of this application and could be that of a malicious location.
> POST http://localhost:8080/JSPWiki/attach HTTP/1.1
> Host: localhost:8080
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://localhost:8080/JSPWiki/Upload.jsp?page=Main
> Cookie: JSPWikiAssertedName=127.0.0.1; JSESSIONID=285A5DB7AAE9476B56A653FDCB77C9B7
> Content-Type: multipart/form-data; boundary=---------------------------2132026317541759772579111
> Content-Length: 813
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="page"
> Main
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="content"; filename="test3"
> Content-Type: application/octet-stream
> test
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="upload"
> Upload
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="action"
> upload
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="changenote"
> -----------------------------2132026317541759772579111
> Content-Disposition: form-data; name="nextpage"
> http://www.ouncelabs.com
> -----------------------------2132026317541759772579111--
> Recommendation:
> Validate that the "nextpage" value is that of an acceptable location. For example, maybe it should be confined the host running the JSPWiki site, or even compared to that of list of valid redirection/host locations.
> Related Code Locations:
> 4 findings:
> Name: com.ecyrd.jspwiki.attachment.AttachmentServlet.doPost(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.Validation.Required
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
> Line / Col: 414 / 0
> Context: res . javax.servlet.http.HttpServletResponse.sendRedirect ( nextPage )
> -----------------------------------
> Name: com.ecyrd.jspwiki.attachment.AttachmentServlet.upload(javax.servlet.http.HttpServletRequest):java.lang.String
> Type: Vulnerability.Validation.Required
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
> Line / Col: 493 / 0
> Context: req . javax.servlet.ServletRequest.getContentType ()
> -----------------------------------
> Name: com.ecyrd.jspwiki.attachment.AttachmentServlet.doGet(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.Validation.Required
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
> Line / Col: 299 / 0
> Context: res . javax.servlet.http.HttpServletResponse.sendRedirect ( nextPage )
> -----------------------------------
> Name: com.ecyrd.jspwiki.attachment.AttachmentServlet.doPost(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.Validation.Required
> Severity: High
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\attachment\AttachmentServlet.java
> Line / Col: 422 / 0
> Context: res . javax.servlet.http.HttpServletResponse.sendRedirect ( e . com.ecyrd.jspwiki.filters.RedirectException.getRedirect() )
> -----------------------------------
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira