You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Massimiliano Ricci <ma...@gmail.com> on 2016/01/27 10:22:40 UTC
Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Dear All,
for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
standalone server.
Unfortunatelly we've encountered an anomaly of Cross Site Scripting (XSS).
For example, it's possible to write on http://myFusekyServer/dataset.html a
query like:
SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
?predicate ?object } LIMIT 25
thath show a pop-up whith hostname.
Looking on owasp site (
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted Data
into HTML Element Content" but modified th Fuseki code was too hard for us.
Could anyone suggest us how to figure out this issue?
There are proprerties to set to avoid XSS (this should be the best
solution)?
Do I have to open an issue on JIRA?
Thanks,
Max
Re: Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Posted by Andy Seaborne <an...@apache.org>.
On 02/02/16 14:03, Massimiliano Ricci wrote:
> Great!!
> When do you think to release Fuseki 2.4.0?
>
Jena usually releases every 6 months.
There's a dev build if you want to test before the release
https://repository.apache.org/content/repositories/snapshots/org/apache/jena/
(make sure you get the latest)
Andy
> 2016-01-31 17:46 GMT+01:00 Andy Seaborne <an...@apache.org>:
>
>> Thanks to Laurens Rietveld, the author of YASGUI, we have a fix for Jena.
>> The fix [*] is in the way Jena uses yasr.
>>
>> JENA-1123 is resolved.
>> The latest dev build has it in.
>>
>> Caution: you have to flush the changed javascript into the browser.
>>
>> Browsers seem to be obstinate about doing this but (1) clear the site
>> cache and (2) a hard refresh (cntrl-F5) seems to work. (Developer tools
>> mode helps as well but in my experience is not guaranteed.)
>>
>> Andy
>>
>> [*]
>> https://github.com/apache/jena/commit/0e9f9319c0
>>
>>
>> On 27/01/16 19:33, Andy Seaborne wrote:
>>
>>> On 27/01/16 15:30, Andy Seaborne wrote:
>>>
>>>> On 27/01/16 14:45, Massimiliano Ricci wrote:
>>>>
>>>>> thanks Andy for your reply.
>>>>> I also think the problem is with YASQE dependency, but I didn't find any
>>>>> way to submit this issue to them.
>>>>>
>>>>
>>>> https://github.com/OpenTriply/YASGUI.YASQE/issues
>>>>
>>>
>>> Reported:
>>>
>>> https://github.com/OpenTriply/YASGUI.YASR/issues/83
>>>
>>> I tried the latest release of yasr and it has the same problem.
>>>
>>> Any string displayed (lexical form of a literal) is not checked for HTML
>>> display. "<b>bold</b>" being a slightly less worrying example that
>>> <script>
>>>
>>> Andy
>>>
>>>
>>>> I've open JENA-1123 request on JIRA.
>>>>>
>>>>
>>>>
>>>>
>>>> Max
>>>>>
>>>>>
>>>>> 2016-01-27 13:29 GMT+01:00 Andy Seaborne <an...@apache.org>:
>>>>>
>>>>> On 27/01/16 09:22, Massimiliano Ricci wrote:
>>>>>>
>>>>>> Dear All,
>>>>>>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
>>>>>>> standalone server.
>>>>>>> Unfortunatelly we've encountered an anomaly of Cross Site Scripting
>>>>>>> (XSS).
>>>>>>> For example, it's possible to write on
>>>>>>> http://myFusekyServer/dataset.html
>>>>>>> a
>>>>>>> query like:
>>>>>>> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
>>>>>>> ?predicate ?object } LIMIT 25
>>>>>>> thath show a pop-up whith hostname.
>>>>>>>
>>>>>>> Looking on owasp site (
>>>>>>>
>>>>>>>
>>>>>>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>>>>>>
>>>>>>>
>>>>>>> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
>>>>>>> Data
>>>>>>> into HTML Element Content" but modified th Fuseki code was too hard
>>>>>>> for
>>>>>>> us.
>>>>>>> Could anyone suggest us how to figure out this issue?
>>>>>>> There are proprerties to set to avoid XSS (this should be the best
>>>>>>> solution)?
>>>>>>> Do I have to open an issue on JIRA?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Max
>>>>>>>
>>>>>>>
>>>>>>> Please do raise a JIRA though it looks to be a problem with the YASQE
>>>>>> dependency. YASQE is including raw results in the HTML for the table
>>>>>> and
>>>>>> should convert for HTML presentation.
>>>>>>
>>>>>> Also - see the discussion on JENA-890 : should we have a simpler UI for
>>>>>> basic SPARQL exploration and a separate page (like dataset query) as
>>>>>> this
>>>>>> more application centric query/navigate/present.
>>>>>>
>>>>>> How did you try to fix it?
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>
>>>>>> https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
>>>>>>
>>>>>>
>>>>>> http://yasqe.yasgui.org/ for their tracker.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Posted by Massimiliano Ricci <ma...@gmail.com>.
Great!!
When do you think to release Fuseki 2.4.0?
2016-01-31 17:46 GMT+01:00 Andy Seaborne <an...@apache.org>:
> Thanks to Laurens Rietveld, the author of YASGUI, we have a fix for Jena.
> The fix [*] is in the way Jena uses yasr.
>
> JENA-1123 is resolved.
> The latest dev build has it in.
>
> Caution: you have to flush the changed javascript into the browser.
>
> Browsers seem to be obstinate about doing this but (1) clear the site
> cache and (2) a hard refresh (cntrl-F5) seems to work. (Developer tools
> mode helps as well but in my experience is not guaranteed.)
>
> Andy
>
> [*]
> https://github.com/apache/jena/commit/0e9f9319c0
>
>
> On 27/01/16 19:33, Andy Seaborne wrote:
>
>> On 27/01/16 15:30, Andy Seaborne wrote:
>>
>>> On 27/01/16 14:45, Massimiliano Ricci wrote:
>>>
>>>> thanks Andy for your reply.
>>>> I also think the problem is with YASQE dependency, but I didn't find any
>>>> way to submit this issue to them.
>>>>
>>>
>>> https://github.com/OpenTriply/YASGUI.YASQE/issues
>>>
>>
>> Reported:
>>
>> https://github.com/OpenTriply/YASGUI.YASR/issues/83
>>
>> I tried the latest release of yasr and it has the same problem.
>>
>> Any string displayed (lexical form of a literal) is not checked for HTML
>> display. "<b>bold</b>" being a slightly less worrying example that
>> <script>
>>
>> Andy
>>
>>
>>> I've open JENA-1123 request on JIRA.
>>>>
>>>
>>>
>>>
>>> Max
>>>>
>>>>
>>>> 2016-01-27 13:29 GMT+01:00 Andy Seaborne <an...@apache.org>:
>>>>
>>>> On 27/01/16 09:22, Massimiliano Ricci wrote:
>>>>>
>>>>> Dear All,
>>>>>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
>>>>>> standalone server.
>>>>>> Unfortunatelly we've encountered an anomaly of Cross Site Scripting
>>>>>> (XSS).
>>>>>> For example, it's possible to write on
>>>>>> http://myFusekyServer/dataset.html
>>>>>> a
>>>>>> query like:
>>>>>> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
>>>>>> ?predicate ?object } LIMIT 25
>>>>>> thath show a pop-up whith hostname.
>>>>>>
>>>>>> Looking on owasp site (
>>>>>>
>>>>>>
>>>>>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>>>>>
>>>>>>
>>>>>> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
>>>>>> Data
>>>>>> into HTML Element Content" but modified th Fuseki code was too hard
>>>>>> for
>>>>>> us.
>>>>>> Could anyone suggest us how to figure out this issue?
>>>>>> There are proprerties to set to avoid XSS (this should be the best
>>>>>> solution)?
>>>>>> Do I have to open an issue on JIRA?
>>>>>>
>>>>>> Thanks,
>>>>>> Max
>>>>>>
>>>>>>
>>>>>> Please do raise a JIRA though it looks to be a problem with the YASQE
>>>>> dependency. YASQE is including raw results in the HTML for the table
>>>>> and
>>>>> should convert for HTML presentation.
>>>>>
>>>>> Also - see the discussion on JENA-890 : should we have a simpler UI for
>>>>> basic SPARQL exploration and a separate page (like dataset query) as
>>>>> this
>>>>> more application centric query/navigate/present.
>>>>>
>>>>> How did you try to fix it?
>>>>>
>>>>> Andy
>>>>>
>>>>>
>>>>> https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
>>>>>
>>>>>
>>>>> http://yasqe.yasgui.org/ for their tracker.
>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Posted by Andy Seaborne <an...@apache.org>.
Thanks to Laurens Rietveld, the author of YASGUI, we have a fix for
Jena. The fix [*] is in the way Jena uses yasr.
JENA-1123 is resolved.
The latest dev build has it in.
Caution: you have to flush the changed javascript into the browser.
Browsers seem to be obstinate about doing this but (1) clear the site
cache and (2) a hard refresh (cntrl-F5) seems to work. (Developer tools
mode helps as well but in my experience is not guaranteed.)
Andy
[*]
https://github.com/apache/jena/commit/0e9f9319c0
On 27/01/16 19:33, Andy Seaborne wrote:
> On 27/01/16 15:30, Andy Seaborne wrote:
>> On 27/01/16 14:45, Massimiliano Ricci wrote:
>>> thanks Andy for your reply.
>>> I also think the problem is with YASQE dependency, but I didn't find any
>>> way to submit this issue to them.
>>
>> https://github.com/OpenTriply/YASGUI.YASQE/issues
>
> Reported:
>
> https://github.com/OpenTriply/YASGUI.YASR/issues/83
>
> I tried the latest release of yasr and it has the same problem.
>
> Any string displayed (lexical form of a literal) is not checked for HTML
> display. "<b>bold</b>" being a slightly less worrying example that
> <script>
>
> Andy
>
>>
>>> I've open JENA-1123 request on JIRA.
>>
>>
>>
>>> Max
>>>
>>>
>>> 2016-01-27 13:29 GMT+01:00 Andy Seaborne <an...@apache.org>:
>>>
>>>> On 27/01/16 09:22, Massimiliano Ricci wrote:
>>>>
>>>>> Dear All,
>>>>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
>>>>> standalone server.
>>>>> Unfortunatelly we've encountered an anomaly of Cross Site Scripting
>>>>> (XSS).
>>>>> For example, it's possible to write on
>>>>> http://myFusekyServer/dataset.html
>>>>> a
>>>>> query like:
>>>>> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
>>>>> ?predicate ?object } LIMIT 25
>>>>> thath show a pop-up whith hostname.
>>>>>
>>>>> Looking on owasp site (
>>>>>
>>>>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>>>>
>>>>>
>>>>> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
>>>>> Data
>>>>> into HTML Element Content" but modified th Fuseki code was too hard
>>>>> for
>>>>> us.
>>>>> Could anyone suggest us how to figure out this issue?
>>>>> There are proprerties to set to avoid XSS (this should be the best
>>>>> solution)?
>>>>> Do I have to open an issue on JIRA?
>>>>>
>>>>> Thanks,
>>>>> Max
>>>>>
>>>>>
>>>> Please do raise a JIRA though it looks to be a problem with the YASQE
>>>> dependency. YASQE is including raw results in the HTML for the table
>>>> and
>>>> should convert for HTML presentation.
>>>>
>>>> Also - see the discussion on JENA-890 : should we have a simpler UI for
>>>> basic SPARQL exploration and a separate page (like dataset query) as
>>>> this
>>>> more application centric query/navigate/present.
>>>>
>>>> How did you try to fix it?
>>>>
>>>> Andy
>>>>
>>>> https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
>>>>
>>>>
>>>> http://yasqe.yasgui.org/ for their tracker.
>>>>
>>>
>>
>
Re: Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Posted by Andy Seaborne <an...@apache.org>.
On 27/01/16 15:30, Andy Seaborne wrote:
> On 27/01/16 14:45, Massimiliano Ricci wrote:
>> thanks Andy for your reply.
>> I also think the problem is with YASQE dependency, but I didn't find any
>> way to submit this issue to them.
>
> https://github.com/OpenTriply/YASGUI.YASQE/issues
Reported:
https://github.com/OpenTriply/YASGUI.YASR/issues/83
I tried the latest release of yasr and it has the same problem.
Any string displayed (lexical form of a literal) is not checked for HTML
display. "<b>bold</b>" being a slightly less worrying example that <script>
Andy
>
>> I've open JENA-1123 request on JIRA.
>
>
>
>> Max
>>
>>
>> 2016-01-27 13:29 GMT+01:00 Andy Seaborne <an...@apache.org>:
>>
>>> On 27/01/16 09:22, Massimiliano Ricci wrote:
>>>
>>>> Dear All,
>>>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
>>>> standalone server.
>>>> Unfortunatelly we've encountered an anomaly of Cross Site Scripting
>>>> (XSS).
>>>> For example, it's possible to write on
>>>> http://myFusekyServer/dataset.html
>>>> a
>>>> query like:
>>>> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
>>>> ?predicate ?object } LIMIT 25
>>>> thath show a pop-up whith hostname.
>>>>
>>>> Looking on owasp site (
>>>>
>>>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>>>
>>>> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
>>>> Data
>>>> into HTML Element Content" but modified th Fuseki code was too hard for
>>>> us.
>>>> Could anyone suggest us how to figure out this issue?
>>>> There are proprerties to set to avoid XSS (this should be the best
>>>> solution)?
>>>> Do I have to open an issue on JIRA?
>>>>
>>>> Thanks,
>>>> Max
>>>>
>>>>
>>> Please do raise a JIRA though it looks to be a problem with the YASQE
>>> dependency. YASQE is including raw results in the HTML for the table
>>> and
>>> should convert for HTML presentation.
>>>
>>> Also - see the discussion on JENA-890 : should we have a simpler UI for
>>> basic SPARQL exploration and a separate page (like dataset query) as
>>> this
>>> more application centric query/navigate/present.
>>>
>>> How did you try to fix it?
>>>
>>> Andy
>>>
>>> https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
>>>
>>> http://yasqe.yasgui.org/ for their tracker.
>>>
>>
>
Re: Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Posted by Andy Seaborne <an...@apache.org>.
On 27/01/16 14:45, Massimiliano Ricci wrote:
> thanks Andy for your reply.
> I also think the problem is with YASQE dependency, but I didn't find any
> way to submit this issue to them.
https://github.com/OpenTriply/YASGUI.YASQE/issues
> I've open JENA-1123 request on JIRA.
> Max
>
>
> 2016-01-27 13:29 GMT+01:00 Andy Seaborne <an...@apache.org>:
>
>> On 27/01/16 09:22, Massimiliano Ricci wrote:
>>
>>> Dear All,
>>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
>>> standalone server.
>>> Unfortunatelly we've encountered an anomaly of Cross Site Scripting (XSS).
>>> For example, it's possible to write on http://myFusekyServer/dataset.html
>>> a
>>> query like:
>>> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
>>> ?predicate ?object } LIMIT 25
>>> thath show a pop-up whith hostname.
>>>
>>> Looking on owasp site (
>>>
>>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
>>> Data
>>> into HTML Element Content" but modified th Fuseki code was too hard for
>>> us.
>>> Could anyone suggest us how to figure out this issue?
>>> There are proprerties to set to avoid XSS (this should be the best
>>> solution)?
>>> Do I have to open an issue on JIRA?
>>>
>>> Thanks,
>>> Max
>>>
>>>
>> Please do raise a JIRA though it looks to be a problem with the YASQE
>> dependency. YASQE is including raw results in the HTML for the table and
>> should convert for HTML presentation.
>>
>> Also - see the discussion on JENA-890 : should we have a simpler UI for
>> basic SPARQL exploration and a separate page (like dataset query) as this
>> more application centric query/navigate/present.
>>
>> How did you try to fix it?
>>
>> Andy
>>
>> https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
>>
>> http://yasqe.yasgui.org/ for their tracker.
>>
>
Re: Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Posted by Massimiliano Ricci <ma...@gmail.com>.
thanks Andy for your reply.
I also think the problem is with YASQE dependency, but I didn't find any
way to submit this issue to them.
I've open JENA-1123 request on JIRA.
Max
2016-01-27 13:29 GMT+01:00 Andy Seaborne <an...@apache.org>:
> On 27/01/16 09:22, Massimiliano Ricci wrote:
>
>> Dear All,
>> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
>> standalone server.
>> Unfortunatelly we've encountered an anomaly of Cross Site Scripting (XSS).
>> For example, it's possible to write on http://myFusekyServer/dataset.html
>> a
>> query like:
>> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
>> ?predicate ?object } LIMIT 25
>> thath show a pop-up whith hostname.
>>
>> Looking on owasp site (
>>
>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted
>> Data
>> into HTML Element Content" but modified th Fuseki code was too hard for
>> us.
>> Could anyone suggest us how to figure out this issue?
>> There are proprerties to set to avoid XSS (this should be the best
>> solution)?
>> Do I have to open an issue on JIRA?
>>
>> Thanks,
>> Max
>>
>>
> Please do raise a JIRA though it looks to be a problem with the YASQE
> dependency. YASQE is including raw results in the HTML for the table and
> should convert for HTML presentation.
>
> Also - see the discussion on JENA-890 : should we have a simpler UI for
> basic SPARQL exploration and a separate page (like dataset query) as this
> more application centric query/navigate/present.
>
> How did you try to fix it?
>
> Andy
>
> https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
>
> http://yasqe.yasgui.org/ for their tracker.
>
Re: Fuseki 2 & Cross Site Scripting (XSS) vulnerability
Posted by Andy Seaborne <an...@apache.org>.
On 27/01/16 09:22, Massimiliano Ricci wrote:
> Dear All,
> for a customer we'd like to use Fuseki 2.3.1. on Linux RedHat as a
> standalone server.
> Unfortunatelly we've encountered an anomaly of Cross Site Scripting (XSS).
> For example, it's possible to write on http://myFusekyServer/dataset.html a
> query like:
> SELECT "<script>alert(document.domain)</script>" WHERE { ?subject
> ?predicate ?object } LIMIT 25
> thath show a pop-up whith hostname.
>
> Looking on owasp site (
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
> ) we've tried to use "RULE #1 - HTML Escape Before Inserting Untrusted Data
> into HTML Element Content" but modified th Fuseki code was too hard for us.
> Could anyone suggest us how to figure out this issue?
> There are proprerties to set to avoid XSS (this should be the best
> solution)?
> Do I have to open an issue on JIRA?
>
> Thanks,
> Max
>
Please do raise a JIRA though it looks to be a problem with the YASQE
dependency. YASQE is including raw results in the HTML for the table
and should convert for HTML presentation.
Also - see the discussion on JENA-890 : should we have a simpler UI for
basic SPARQL exploration and a separate page (like dataset query) as
this more application centric query/navigate/present.
How did you try to fix it?
Andy
https://issues.apache.org/jira/browse/JENA-890?focusedCommentId=14902505
http://yasqe.yasgui.org/ for their tracker.