[jira] [Closed] (JSPWIKI-65) Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin Paramter

Sat, 10 Sep 2011 16:35:54 -0700 

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-65?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Florian Holeczek closed JSPWIKI-65.
-----------------------------------


> Ounce Labs Security Finding: Input Validation - Reflected XSS IncludeTag skin 
> Paramter
> --------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-65
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-65
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Cristian Borlovan
>            Assignee: Janne Jalkanen
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: The Include Tag may print out an error message containing user 
> input.  Even though it is highly unlikely that this will contain malicious 
> payload (since the logic only executes if page is null), best practices 
> indicate using the standard output encoding routine to sanitize the data. 
> Note this particular vulnerability may be triggered, via the use of the 
> Include Tag, from 16 different vectors.
> For example, "skin=<script>alert(document.cookie);</script>" might be 
> attempted to be injected and the code were changed in the future to not check 
> if null.
> Recommendation: Output Encode the value rendered to the user.  Use the 
> "TextUtil.replaceEntities()" method.
> Related Code Locations: 
> 16 vectors to:
>   Name:           com.ecyrd.jspwiki.tags.IncludeTag.doEndTag():int
>   Type:           Vulnerability.CrossSiteScripting.Reflected
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\tags\IncludeTag.java
>   Line / Col:     79 / 0
>   Context:        this.pageContext . javax.servlet.jsp.PageContext.getOut() . 
> javax.servlet.jsp.JspWriter.println ( new java.lang.StringBuilder . 
> java.lang.StringBuilder.append("No template file called '") . 
> java.lang.StringBuilder.append(this.m_page) . 
> java.lang.StringBuilder.append("'") . java.lang.StringBuilder.toString() )
>     -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to