[jira] [Closed] (JSPWIKI-64) Ounce Labs Security Finding: Input Validation - Reflected XSS Edit

Florian Holeczek (JIRA) Sat, 10 Sep 2011 16:35:55 -0700

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-64?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Florian Holeczek closed JSPWIKI-64.
-----------------------------------


> Ounce Labs Security Finding: Input Validation - Reflected XSS Edit
> ------------------------------------------------------------------
>
>                 Key: JSPWIKI-64
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-64
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Janne Jalkanen
>            Priority: Critical
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: 
> The Edit.jsp will use a variety of different request parameters directly 
> without validation and set session attributes with this tainted data.  Later 
> in different application components (JSPs) these values will be used directly 
> (sometimes without proper output encoding).  It is recommended that these 
> values be properly validated prior to setting them into the session as 
> attributes.
> Example 1: link is used as a hidden field from the session attribute 
> directly, which is set in Edit.jsp
> Example 2: remember is used as a hidden field here in Edit.jsp, it is set in 
> Comment.jsp
> Recommendation: 
> Validate each parameter prior to setting the value into the session 
> attribute. Output Encode the value rendered to the user.  Use the 
> "TextUtil.replaceEntities()" method. 
> Related Code Locations: 
> 9 findings:
>   Name:           
> JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     92 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "_editedtext", getEditedText(pageContext) )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
>   Line / Col:     75 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "link", link )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     169 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "_editedtext", getEditedText(pageContext) )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Info
>   Severity:       Info
>   Classification: Type II
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     169 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "_editedtext", getEditedText(pageContext) )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     171 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "author", user )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Info
>   Severity:       Info
>   Classification: Type II
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     92 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "_editedtext", getEditedText(pageContext) )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Comment_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Comment.jsp
>   Line / Col:     75 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "link", link )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Validation.Required
>   Severity:       High
>   Classification: Type II
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     43 / 0
>   Context:        request . javax.servlet.ServletRequest.getParameter ( 
> "htmlPageText" )
>     -----------------------------------
>   Name:           
> JSPWiki_2_4_104.Edit_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
>   Type:           Vulnerability.Info
>   Severity:       Info
>   Classification: Type II
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\Edit.jsp
>   Line / Col:     171 / 0
>   Context:        session . javax.servlet.http.HttpSession.setAttribute ( 
> "author", user )
>    -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Closed] (JSPWIKI-64) Ounce Labs Security Finding: Input Validation - Reflected XSS Edit

Reply via email to