Hello, re GEOS-4210, this is the commit I meant in the comment <https://github.com/GeoWebCache/geowebcache/commit/f4b3d357533b8ba1f05965fc57098bb5250b067b>
Looks like I was too lazy at the moment as to chase it down but its easier with git now. The way I understand it is that an exception will be thrown when attempting to parse the SRS parameter which ultimately will be handled by that writeError method in GeoWebcacheDispatcher. If you can confirm that's not what's going on and the XSS vulnerability exists while calling a gwc service I'll be glad to look deeper into it. Cheers, Gabriel On Mon, Mar 11, 2013 at 2:13 PM, Thijs Brentjens <[email protected]> wrote: > re 1): > There is/was some discussion on XSS already, I noticed: > http://jira.codehaus.org/browse/GEOS-5318 --> still open > http://jira.codehaus.org/browse/GEOS-4210 --> says for GWC a fix has > been done a while ago. > From another source: > http://itsecuritysolutions.org/2012-04-13-ActiveX,-Remote-DoS-and-XSS/, > also lists some XSS vulnerabilities for GS 2.1.4 > > Summary: in 2.1.x XSS can be used by exploiting the Service Exceptions > for WMS and WFS. This is confirmed in our test. In 2.2.x this seems to > be fixed already for WMS and WFS. However 2.2.x versions still are > vulnerable. For example: WMTS by GWC is vulnerable, > http://localhost:8080/geoserver/gwc/service/wmts?request=<a > xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload="alert('xss')"/></a>. > > Before I get my hands dirty myself: has someone a solution available > maybe (I can't see any activity now, but you never know) or knows of > something? Or can someone point me to where the fixes between 2.1 and > 2.2 have been done to avoid XSS? Maybe I could use that for my client > (and in the end others) and use it to fix some other XSS issues as well. > If not, I'll dive into the code :). -- Gabriel Roldan OpenGeo - http://opengeo.org Expert service straight from the developers. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
