beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carlin Rogers (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (BEEHIVE-1197) XSS Vulnerability in jpfScopeID
Date Fri, 08 Jun 2007 12:57:26 GMT

     [ https://issues.apache.org/jira/browse/BEEHIVE-1197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Carlin Rogers resolved BEEHIVE-1197.
------------------------------------

       Resolution: Fixed
    Fix Version/s: V.Next

Scott, thanks for the contribution. I made some minor changes...

I did not add filterValue() to ParamHelper and left it in InternalUtils. It uses HTML entities
for encoding characters used to render on a page. Instead, I just added some code in ScopedServletUtils
to use escaped encoding for URI since the framework uses this param in url rewriting, etc.
Given this, I changed the name of the new ScopedServletUtils routine getHTMLEncodedScopeIDParam()
to getScopeIdParamValue(). Let me know what you think.

The changes are in SVN revision 545494. This includes junit and TestRecorder tests.

Thanks again Scott!

> XSS Vulnerability in jpfScopeID
> -------------------------------
>
>                 Key: BEEHIVE-1197
>                 URL: https://issues.apache.org/jira/browse/BEEHIVE-1197
>             Project: Beehive
>          Issue Type: Bug
>          Components: NetUI
>    Affects Versions: V1Alpha, V1Beta, v1m1, 1.0, 1.0.1, 1.0.2, V.Next
>         Environment: Any
>            Reporter: Scott L'Hommedieu
>            Assignee: Carlin Rogers
>            Priority: Critical
>             Fix For: V.Next
>
>         Attachments: patch.txt
>
>
> When a processing a request to a url such as  http://xxx/xx.jfp?jpfScopeID="<script>
, resulting links in response will include the scope id as is.  Such as ?jpfScopeID="<>?.
> Since jpfScopeID appending is not controlled by end user code, this behavior 
> possibly cause XSS vulnerability. 
> For example, if giving url like
>  .....submit.do?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E
> The browser will evaluate and run the script.
> This affects several tags and scoping bits.
> Fix is to html encode the jpfScopeID in ScopedServletUtils and call that from tags and
such.
> I can attach a patch shortly.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message