potential cross site scripting issue

Wed, 03 Dec 2014 07:39:49 -0800 

Hi, 

during penetration test of his WebObjects servlet installation, one of our 
customers found a potential XSS issue:

Deployment environment: tomcat application server + apache mod-proxy

Consider the following request:

        
http://custormer.serv.er/ServletContainerName/WebObjects/AppName.woa/wa/default 
        (1)

If a malicious client changes "AppName" to something else, the following 
request 

        
http://custormer.serv.er/ServletContainerName/WebObjects/SomethingElse.woa/wa/default
   (2)

generates a similar response than request (1), except that in all webobjects 
urls  "AppName"  is replaced by "SomethingElse"



Now, if you are a bit mot malicious, you would replace AppName by

        
x%22%3E%3Cbody%3E%3Cimg%20src=%22x%22%20onerror=%22alert%28%27Cross-Site%20Scripting%27%29%22%3E


et voilà, a wonderful alert panel appears (at least in FireFox)


To fix this issue, I checked that the application name provided in  the request 
uri matches the real application name:

Application.java:

        @Override
        public WOResponse dispatchRequest(WORequest aRequest) {
                
                String uri = aRequest.uri();
                String expectedApplicationPartInUri = 
applicationBaseURL()+"/"+name()+((nameSuffix()!=null)?nameSuffix():"")+".woa";
                
                if(uri == null || !uri.contains(expectedApplicationPartInUri)) {
                        log.error("failed to dispatch request: uri ["+uri+"] 
does not match application name ["+expectedApplicationPartInUri+"]");
                        WOResponse r404 = new WOResponse();
                        r404.setStatus(404);
                        r404.setContent("The requested resource was not found 
on this server.");
                        return r404;
                }
                
                return super.dispatchRequest(aRequest);
        }


Are there any suggestions to improve the code above?  Shouldn't we fix this 
issue in core (aka erextensions)?


Regards,

        René



P.S.: for the requests above, only a classical deployment (apache + 
mod_webobjects) would have said: 

        The requested application was not found on this server.





--
salient doremus

salient GmbH
Kontorhaus -  Lindleystraße 12
60314 Frankfurt Main


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      ([email protected])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to [email protected]

Reply via email to