Thanks for raising this, will also attend to. Do you want to raise tickets for this and the other issue you've raised?
On 9 September 2014 00:34, Christopher Fairhall < christopher.fairhall...@msd.govt.nz> wrote: > Another issue our security review picked up was the default error page, > org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage is vulnerable to XSS > via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel > > In the constructor of ExceptionStackTracePanel, it adds a Label with the > exception message and calls setEscapeModelStrings(false) > > This means any URL that a URL be constructed to reference an entity with > Javascript inserted where the OID should be and an exception is thrown with > the Javascript code inserted in to the message. > > This is then written to the page un-escaped to be executed in the users > session. > > It is made worse by the bookmarkable feature (I think that's what does > this), where an attacker can navigate to a crafted URL on a user's PC, if > they don't close all of their browser windows before the session times out, > when they log in they will be redirected to the crafted URL. > > > ------------------------------- > This email and any attachments may contain information that is > confidential and subject to legal privilege. If you are not the intended > recipient, any use, dissemination, distribution or duplication of this > email and attachments is prohibited. If you have received this email in > error please notify the author immediately and erase all copies of the > email and attachments. The Ministry of Social Development accepts no > responsibility for changes made to this message or attachments after > transmission from the Ministry. > > ------------------------------- >