[
https://issues.apache.org/jira/browse/ISIS-884?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Haywood resolved ISIS-884.
------------------------------
Resolution: Fixed
> ErrorPage vulnerable to XSS attacks.
> ------------------------------------
>
> Key: ISIS-884
> URL: https://issues.apache.org/jira/browse/ISIS-884
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Priority: Blocker
> Fix For: viewer-wicket-1.7.0
>
>
> The default error page
> (org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage) is vulnerable to XSS
> via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel
> In the constructor of ExceptionStackTracePanel, it adds a Label with the
> exception message and calls setEscapeModelStrings(false)
> This means any URL that a URL be constructed to reference an entity with
> Javascript inserted where the OID should be and an exception is thrown with
> the Javascript code inserted in to the message.
> This is then written to the page un-escaped to be executed in the users
> session.
> It is made worse by the bookmarkable feature (I think that's what does this),
> where an attacker can navigate to a crafted URL on a user's PC, if they don't
> close all of their browser windows before the session times out, when they
> log in they will be redirected to the crafted URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
