[gatein-issues] [JBoss JIRA] (GTNPORTAL-3441) XSS vulnerability in UIFormTabPane
Tuyen Nguyen The (JIRA)
issues at jboss.org
Fri Apr 4 03:23:13 EDT 2014
Tuyen Nguyen The created GTNPORTAL-3441:
-------------------------------------------
Summary: XSS vulnerability in UIFormTabPane
Key: GTNPORTAL-3441
URL: https://issues.jboss.org/browse/GTNPORTAL-3441
Project: GateIn Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Reporter: Tuyen Nguyen The
Assignee: Tuyen Nguyen The
* *XSS injected vector* via form's currentSelectedTab value:
*# A bad guy give victims a *link that mal-script injected into the _currentSelectedTab_* of a tabs form to victims
*# A victim *open the link in a browser*. The browser makes a GET request to the application server.
*# The mal-script then be loaded by application server into the infected form object's selectedTabId attribute. And the application server response a mal-script infected HTML content back to the browser.
*# The browser process the injected content and the script executed.
* *Problem analysis*:
*# *Screens in eXo projects* that implement the [tabs form UIFormTabPane|https://github.com/exoplatform/gatein-portal/blob/3.5.x-PLF/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTabPane.java#L71] got impacted by *XSS vulnerability*.
The root cause come from getting/setting UIFormTabPane's selectedTabId attribute that they do not have steps of validating/sanitizing input/output values:
{code}
public static String RENDER_TAB = "currentSelectedTab";
....
public void setSelectedTab(String renderTabId) {
selectedTabId = renderTabId;
}
public void setSelectedTab(int index) {
selectedTabId = ((UIComponent) getChild(index - 1)).getId();
}
public void processDecode(WebuiRequestContext context) throws Exception {
String renderTab = context.getRequestParameter(RENDER_TAB);
if (renderTab != null)
selectedTabId = renderTab;
super.processDecode(context);
}
....
public static class SelectTabActionListener extends EventListener<UIFormTabPane> {
public void execute(Event<UIFormTabPane> event) throws Exception {
WebuiRequestContext context = event.getRequestContext();
String renderTab = context.getRequestParameter(UIComponent.OBJECTID);
if (renderTab == null)
return;
event.getSource().setSelectedTab(renderTab);
}
}
{code}
==> mal-script will be embeded into the form object
*# The flaw then *leaked* via [UIFormTabPane.gtmpl|https://github.com/gatein/gatein-portal/blob/master/web/portal/src/main/webapp/groovy/webui/form/UIFormTabPane.gtmpl#L41]
{code}
<%uiform.begin()%>
<div><input type="hidden" id="<%=uicomponent.RENDER_TAB%>" name="<%=uicomponent.RENDER_TAB%>" value="$uicomponent.selectedTabId"/></div>
<div class="HorizontalLayout">
{code}
And injected form object will be *response back to the browser and being processed* by the browser ==> script executed
For example: input this into browser
{code}
http://localhost:8080/portal/g/:organization:management:executive-board/organization/newStaff?portal:componentId=gtn5b8bedf6-cde4-4f48-9966-3887e3af456a&interactionstate=JBPNS_rO0ABXcpAAt1aWNvbXBvbmVudAAAAAEADVVJQWNjb3VudEZvcm0AB19fRU9GX18*&portal:type=action¤tSelectedTab=<ScRIpT>alert("abc")</SCriPT><script>alert("Hello")</script>
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the gatein-issues
mailing list