[gatein-issues] [JBoss JIRA] (GTNPORTAL-3441) XSS vulnerability in UIFormTabPane

Tuyen Nguyen The (JIRA) issues at jboss.org
Fri Apr 4 03:23:13 EDT 2014 

Tuyen Nguyen The created GTNPORTAL-3441:
-------------------------------------------

             Summary: XSS vulnerability in UIFormTabPane
                 Key: GTNPORTAL-3441
                 URL: https://issues.jboss.org/browse/GTNPORTAL-3441
             Project: GateIn Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
            Reporter: Tuyen Nguyen The
            Assignee: Tuyen Nguyen The


* *XSS injected vector* via form's currentSelectedTab value:
*# A bad guy give victims a *link that mal-script injected into the _currentSelectedTab_* of a tabs form to victims
*# A victim *open the link in a browser*. The browser makes a GET request to the application server.
*# The mal-script then be loaded by application server into the infected form object's selectedTabId attribute. And the application server response a mal-script infected HTML content back to the browser.
*# The browser process the injected content and the script executed.
* *Problem analysis*:
*# *Screens in eXo projects* that implement the [tabs form UIFormTabPane|https://github.com/exoplatform/gatein-portal/blob/3.5.x-PLF/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTabPane.java#L71] got impacted by *XSS vulnerability*.
The root cause come from getting/setting UIFormTabPane's selectedTabId attribute that they do not have steps of validating/sanitizing input/output values:
{code}
    public static String RENDER_TAB = "currentSelectedTab";
....
    public void setSelectedTab(String renderTabId) {
        selectedTabId = renderTabId;
    }

    public void setSelectedTab(int index) {
        selectedTabId = ((UIComponent) getChild(index - 1)).getId();
    }

    public void processDecode(WebuiRequestContext context) throws Exception {
        String renderTab = context.getRequestParameter(RENDER_TAB);
        if (renderTab != null)
            selectedTabId = renderTab;
        super.processDecode(context);
    }
....
    public static class SelectTabActionListener extends EventListener<UIFormTabPane> {
        public void execute(Event<UIFormTabPane> event) throws Exception {
            WebuiRequestContext context = event.getRequestContext();
            String renderTab = context.getRequestParameter(UIComponent.OBJECTID);
            if (renderTab == null)
                return;
            event.getSource().setSelectedTab(renderTab);
        }
    }
{code}
==> mal-script will be embeded into the form object
*#  The flaw then *leaked* via [UIFormTabPane.gtmpl|https://github.com/gatein/gatein-portal/blob/master/web/portal/src/main/webapp/groovy/webui/form/UIFormTabPane.gtmpl#L41]
{code}
				<%uiform.begin()%>
				<div><input type="hidden" id="<%=uicomponent.RENDER_TAB%>" name="<%=uicomponent.RENDER_TAB%>" value="$uicomponent.selectedTabId"/></div>
				<div class="HorizontalLayout">
{code}
And injected form object will be *response back to the browser and being processed* by the browser ==> script executed

For example: input this into browser
{code}
http://localhost:8080/portal/g/:organization:management:executive-board/organization/newStaff?portal:componentId=gtn5b8bedf6-cde4-4f48-9966-3887e3af456a&interactionstate=JBPNS_rO0ABXcpAAt1aWNvbXBvbmVudAAAAAEADVVJQWNjb3VudEZvcm0AB19fRU9GX18*&portal:type=action&currentSelectedTab=<ScRIpT>alert("abc")</SCriPT><script>alert("Hello")</script>
{code}


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the gatein-issues mailing list