beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott L'Hommedieu (JIRA)" <j...@apache.org>
Subject [jira] Updated: (BEEHIVE-1197) XSS Vulnerability in jpfScopeID
Date Thu, 07 Jun 2007 18:44:26 GMT

     [ https://issues.apache.org/jira/browse/BEEHIVE-1197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Scott L'Hommedieu updated BEEHIVE-1197:
---------------------------------------

    Attachment: patch.txt

Patch for:

netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowRequestProcessor.java
netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/DefaultURLRewriter.java
netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java
netui/src/scoping/org/apache/beehive/netui/pageflow/scoping/ScopedServletUtils.java
netui/src/tags-html/org/apache/beehive/netui/tags/html/Form.java
netui/src/util/org/apache/beehive/netui/util/ParamHelper.java

This will prevent script from being returned in the response as a result of a script being
injected into the jpfScopeID.



> XSS Vulnerability in jpfScopeID
> -------------------------------
>
>                 Key: BEEHIVE-1197
>                 URL: https://issues.apache.org/jira/browse/BEEHIVE-1197
>             Project: Beehive
>          Issue Type: Bug
>          Components: NetUI
>    Affects Versions: V1Alpha, V1Beta, v1m1, 1.0, 1.0.1, 1.0.2, V.Next
>         Environment: Any
>            Reporter: Scott L'Hommedieu
>            Priority: Critical
>         Attachments: patch.txt
>
>
> When a processing a request to a url such as  http://xxx/xx.jfp?jpfScopeID="<script>
, resulting links in response will include the scope id as is.  Such as ?jpfScopeID="<>?.
> Since jpfScopeID appending is not controlled by end user code, this behavior 
> possibly cause XSS vulnerability. 
> For example, if giving url like
>  .....submit.do?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E
> The browser will evaluate and run the script.
> This affects several tags and scoping bits.
> Fix is to html encode the jpfScopeID in ScopedServletUtils and call that from tags and
such.
> I can attach a patch shortly.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message