You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2015/11/06 16:50:27 UTC
[jira] [Reopened] (OFBIZ-6669) Possible static XSS issue with
Content
[ https://issues.apache.org/jira/browse/OFBIZ-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux reopened OFBIZ-6669:
------------------------------------
I reopen here to allow users to choose to not encode contents in *ContentWrapper classes as they already can with ContentWorker class using content.sanitize property. Actually I will use another content.encode property and will generalize by creating a new UtilCodec.HtmlEncoder.encodeOrNot() method and use it in *ContentWrapper classes.
But the property should not in content application to not introduce a dependency from base, not sure where to put it apart in base itself (in a owasp.properties maybe) to avoid introducing a dependency in base wich is currently clean:
{code}
C:\projectASF-Mars\ofbiz\framework\base>"C:\Program Files\Java\jdk1.8.0_51\bin\jdeps" build\lib\ofbiz-base.jar
ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\jce.jar
ofbiz-base.jar -> not found
ofbiz-base.jar -> build\lib\ofbiz-base.jar
ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\rt.jar
org.ofbiz.base.component (ofbiz-base.jar)
-> java.io
-> java.lang
-> java.net
-> java.security
-> java.util
-> java.util.concurrent.atomic
-> javax.xml.parsers
-> org.ofbiz.base.config ofbiz-base.jar
-> org.ofbiz.base.container ofbiz-base.jar
-> org.ofbiz.base.location ofbiz-base.jar
-> org.ofbiz.base.util ofbiz-base.jar
-> org.ofbiz.base.util.string ofbiz-base.jar
-> org.w3c.dom
-> org.xml.sax
org.ofbiz.base.concurrent (ofbiz-base.jar)
-> java.lang
-> java.util
-> java.util.concurrent
-> org.ofbiz.base.util ofbiz-base.jar
org.ofbiz.base.config (ofbiz-base.jar)
-> java.io
-> java.lang
-> java.net
-> java.util
-> java.util.concurrent
-> javax.xml.parsers
-> org.ofbiz.base.util ofbiz-base.jar
-> org.ofbiz.base.util.cache ofbiz-base.jar
-> org.w3c.dom
-> org.xml.sax
org.ofbiz.base.container (ofbiz-base.jar)
-> bsh not found
-> java.io
-> java.lang
-> java.net
-> java.rmi
-> java.rmi.registry
-> java.rmi.server
-> java.util
-> java.util.concurrent.atomic
-> javax.xml.parsers
-> org.ofbiz.base.component ofbiz-base.jar
-> org.ofbiz.base.config ofbiz-base.jar
-> org.ofbiz.base.start not found
-> org.ofbiz.base.util ofbiz-base.jar
-> org.w3c.dom
-> org.xml.sax
org.ofbiz.base.conversion (ofbiz-base.jar)
-> com.ibm.icu.util not found
-> java.io
-> java.lang
-> java.lang.reflect
-> java.math
-> java.net
-> java.nio
-> java.nio.charset
-> java.sql
-> java.text
-> java.util
-> java.util.concurrent
-> java.util.regex
-> javax.sql.rowset.serial
-> org.ofbiz.base.lang ofbiz-base.jar
-> org.ofbiz.base.util ofbiz-base.jar
org.ofbiz.base.crypto (ofbiz-base.jar)
-> java.io
-> java.lang
-> java.nio.charset
-> java.security
-> java.security.spec
-> java.util
-> javax.crypto
-> javax.crypto.spec
-> org.apache.commons.codec.binary not found
-> org.apache.commons.lang not found
-> org.apache.shiro.crypto not found
-> org.ofbiz.base.util ofbiz-base.jar
org.ofbiz.base.lang (ofbiz-base.jar)
-> com.fasterxml.jackson.databind not found
-> java.io
-> java.lang
-> java.lang.annotation
-> org.apache.commons.io not found
-> org.ofbiz.base.util ofbiz-base.jar
org.ofbiz.base.location (ofbiz-base.jar)
-> java.io
-> java.lang
-> java.net
-> java.util
-> org.ofbiz.base.component ofbiz-base.jar
-> org.ofbiz.base.util ofbiz-base.jar
org.ofbiz.base.metrics (ofbiz-base.jar)
-> java.lang
-> java.util
-> org.ofbiz.base.util ofbiz-base.jar
-> org.ofbiz.base.util.cache ofbiz-base.jar
-> org.w3c.dom
org.ofbiz.base.splash (ofbiz-base.jar)
-> java.awt
-> java.awt.image
-> java.io
-> java.lang
-> org.ofbiz.base.start not found
org.ofbiz.base.util (ofbiz-base.jar)
-> bsh not found
-> com.ibm.icu.text not found
-> com.ibm.icu.util not found
-> com.thoughtworks.xstream not found
-> com.thoughtworks.xstream.converters not found
-> com.thoughtworks.xstream.io not found
-> groovy.lang not found
-> java.io
-> java.lang
-> java.lang.ref
-> java.lang.reflect
-> java.math
-> java.net
-> java.nio
-> java.nio.charset
-> java.rmi.server
-> java.security
-> java.security.cert
-> java.security.spec
-> java.sql
-> java.text
-> java.util
-> java.util.concurrent
-> java.util.concurrent.atomic
-> java.util.regex
-> javax.naming
-> javax.net.ssl
-> javax.script
-> javax.security.auth.x500
-> javax.security.cert
-> javax.servlet not found
-> javax.servlet.http not found
-> javax.xml.parsers
-> javax.xml.transform
-> javax.xml.transform.dom
-> javax.xml.transform.stream
-> org.apache.bsf not found
-> org.apache.bsf.util not found
-> org.apache.commons.codec not found
-> org.apache.commons.codec.binary not found
-> org.apache.commons.io not found
-> org.apache.commons.lang not found
-> org.apache.commons.validator.routines not found
-> org.apache.logging.log4j not found
-> org.apache.oro.text.regex not found
-> org.apache.xerces.parsers not found
-> org.apache.xerces.xni not found
-> org.codehaus.groovy.control not found
-> org.codehaus.groovy.runtime not found
-> org.ofbiz.base.component ofbiz-base.jar
-> org.ofbiz.base.config ofbiz-base.jar
-> org.ofbiz.base.conversion ofbiz-base.jar
-> org.ofbiz.base.lang ofbiz-base.jar
-> org.ofbiz.base.location ofbiz-base.jar
-> org.ofbiz.base.util.cache ofbiz-base.jar
-> org.ofbiz.base.util.collections ofbiz-base.jar
-> org.ofbiz.base.util.string ofbiz-base.jar
-> org.owasp.esapi.codecs not found
-> org.w3c.dom
-> org.w3c.dom.bootstrap
-> org.w3c.dom.ls
-> org.xml.sax
-> org.xml.sax.helpers
org.ofbiz.base.util.cache (ofbiz-base.jar)
-> com.googlecode.concurrentlinkedhashmap not found
-> java.io
-> java.lang
-> java.util
-> java.util.concurrent
-> java.util.concurrent.atomic
-> jdbm not found
-> jdbm.helper not found
-> jdbm.htree not found
-> jdbm.recman not found
-> org.ofbiz.base.concurrent ofbiz-base.jar
-> org.ofbiz.base.util ofbiz-base.jar
org.ofbiz.base.util.collections (ofbiz-base.jar)
-> java.io
-> java.lang
-> java.util
-> java.util.concurrent.atomic
-> javax.el not found
-> javax.servlet not found
-> javax.servlet.http not found
-> org.ofbiz.base.lang ofbiz-base.jar
-> org.ofbiz.base.util ofbiz-base.jar
-> org.ofbiz.base.util.cache ofbiz-base.jar
-> org.ofbiz.base.util.string ofbiz-base.jar
org.ofbiz.base.util.string (ofbiz-base.jar)
-> de.odysseus.el not found
-> de.odysseus.el.misc not found
-> de.odysseus.el.tree not found
-> de.odysseus.el.tree.impl not found
-> de.odysseus.el.tree.impl.ast not found
-> java.beans
-> java.io
-> java.lang
-> java.lang.reflect
-> java.math
-> java.net
-> java.sql
-> java.text
-> java.util
-> javax.el not found
-> javax.xml.namespace
-> javax.xml.transform
-> javax.xml.transform.stream
-> javax.xml.xpath
-> org.apache.xerces.dom not found
-> org.cyberneko.html.parsers not found
-> org.ofbiz.base.lang ofbiz-base.jar
-> org.ofbiz.base.location ofbiz-base.jar
-> org.ofbiz.base.util ofbiz-base.jar
-> org.ofbiz.base.util.cache ofbiz-base.jar
-> org.ofbiz.base.util.collections ofbiz-base.jar
-> org.w3c.dom
org.ofbiz.base.util.template (ofbiz-base.jar)
-> freemarker.cache not found
-> freemarker.core not found
-> freemarker.ext.beans not found
-> freemarker.template not found
-> java.io
-> java.lang
-> java.net
-> java.util
-> javax.servlet not found
-> javax.servlet.http not found
-> javax.xml.parsers
-> javax.xml.transform
-> javax.xml.transform.dom
-> javax.xml.transform.sax
-> javax.xml.transform.stream
-> org.ofbiz.base.location ofbiz-base.jar
-> org.ofbiz.base.util ofbiz-base.jar
-> org.ofbiz.base.util.cache ofbiz-base.jar
-> org.w3c.dom
-> org.xml.sax
{code}
Other ideas?
> Possible static XSS issue with Content
> --------------------------------------
>
> Key: OFBIZ-6669
> URL: https://issues.apache.org/jira/browse/OFBIZ-6669
> Project: OFBiz
> Issue Type: Bug
> Components: content, order, party, product, workeffort
> Affects Versions: Release Branch 12.04, Release Branch 13.07, Release Branch 14.12, Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, Upcoming Branch
>
>
> I found a possible XSS attack through *ContentWrapper.java and ContentWorker itself.
> Note that in supported releases it's hard to exploit, it's a Stored XSS https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you need 1st to somehow inject exploiting code in the DB.
> Issues in *ContentWrapper.java have already been fixed by changing the ContentWrapper interface
> from
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId);
> }
> {code}
> to
> {code}
> public interface ContentWrapper {
> public StringUtil.StringWrapper get(String contentTypeId, String encoderType) {
> }
> {code}
> And changing the Category, Party, Product, ProductPromo, ProductConfigItem and WorkEffort ContentWrapperS accordingly. This means to use 2 types of encoderTypes: "html" and "url".
> The "html" encoderType will be used for all ProductContentTypes but those who contain URL in their ContentTypeIdS (actually end with, "_URL") which will use "url" encoderType.
> It concerns not only the get() method but also methods like getPartyContentAsText(), getProductContentAsText(), etc.
> It seems a big change but it's straightforward. It's now complete after following commits in revisions (I hope I did not miss to report):
> trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857 1708930
> and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 1706163 1707858 1708931
> I have also committed a fix for ContentWorker. For that I have added owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property in content.properties with some explanations. The reason I put this property is because the sanitizer does some (safe) changes which might be unwanted in a context where you are "sure" no one can inject/exploit your DB.
> Here is for instance the changes the sanitizer does when rendering cmssite
> {code}
> @@ -19,7 +19,7 @@
> <body>
> - <div id="header">
> + <div>
> <h1>This is the header!</h1>
> </div>
> @@ -27,34 +27,26 @@
> <div>
> <h1>Welcome to the CmsSite Home page.</h1>
> - <center><table width="350"><tr><td>
> +
> <p>
> This is a site to demonstrate the CMS capabilities of OFBiz. Its basic function is the editing of website text
> inside a browser. If you want to edit the text you are reading now, logon to the backend system, select the content component
> - click on 'cmssite' in the website list and ten click on the 'cms' button. There you see on the left hand side the tree of this website.
> - If you click on 'homepage' then you can edit the content of this page at the box in the r
> + click on 'cmssite' in the website list and ten click on the 'cms' button. There you see on the left hand side the tree of this website.
> + If you click on 'homepage' then you can edit the content of this page at the box in the r
> </p>
> <p>
> This is only the basic function of the CMS which is part of the content component. The content component is actually more than a
> CMS it can also handle documents pretty well. An example is the apache OFBiz document you can see when you click on the last option in the list below.
> - <p>
> - </td></tr></table></center>
> - <ul>
> - <li><a href="/cmssite/cms/CMSS_DEMO_PAGE1">Demo Page 1 - Hard Coded Link</a></div>
> - <li><a href="/cmssite/cms/CMSS_PPOINT/demoPage1">Demo Page 1 - Hard Coded Link using the Sub-Content Pattern</a></li>
> - <li><a href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page 1 - Dynamic Link</a></li>
> - <li><a href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page with screen widget and screen decorator</a></li>
> - <li><a href="/cmssite/cms/CMSS_DEMO_BLOG;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page with blog using screen decorator</a></li>
> - <li><a href="/cmssite/cms/CMSS_DEMO_TPL_DATA;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page with an xml resource formatted with a template ftl resource</a></li>
> - <li><a href="/cmssite/cms/PUBLIC_DOCS;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">The ofbiz public documents</a></li>
> - </ul>
> + </p><p>
> + </p>
> + <ul><li><a href="/cmssite/cms/CMSS_DEMO_PAGE1" rel="nofollow">Demo Page 1 - Hard Coded Link</a>
> + </li><li><a href="/cmssite/cms/CMSS_PPOINT/demoPage1" rel="nofollow">Demo Page 1 - Hard Coded Link using the Sub-Content Pattern</a></li><li><a href="/cmssite/cms/CMSS_DEMO_PAGE1" rel="nofollow">Demo Page 1 - Dynamic Link</a></li><li><a href="/cmssite/cms/CMSS_DEMO_SCREEN" rel="nofollow">Demo Page with screen widget and screen decorator</a></li><li><a href="/cmssite/cms/CMSS_DEMO_BLOG" rel="nofollow">Demo Page with blog using screen decorator</a></li><li><a href="/cmssite/cms/CMSS_DEMO_TPL_DATA" rel="nofollow">Demo Page with an xml resource formatted with a template ftl resource</a></li><li><a href="/cmssite/cms/PUBLIC_DOCS" rel="nofollow">The ofbiz public documents</a></li></ul>
> </div>
> -
> - <div id="footer">
> - <h4>This is the footer!</h4>
> + <div>
> +
> </div>
> - </body>
> - </html>
> +
> +
> {code}
> I wonder why it removes the ids, "<center><table" and ending </body> and </html>, but those guys know much more about XSS exploitation than me. As explained at https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project :
> * Actively maintained by Mike Samuel from Google's AppSec team!
> * Passing 95+% of AntiSamy's unit tests plus many more.
> * This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
> Note that this does not affect the *ContentWrapper.java classes where we use OWASP encoding and not sanitizer. The reason we need the sanitizer here is because we are no only handling content but also HTML code...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)