2:59 a.m.
[
https://issues.jboss.org/browse/GTNPORTAL-3441?page=com.atlassian.jira.pl...
]
Tuyen Nguyen The updated GTNPORTAL-3441:
----------------------------------------
Status: Pull Request Sent (was: Open)
Git Pull Request: https://github.com/gatein/gatein-portal/pull/817
XSS vulnerability in UIFormTabPane
----------------------------------
Key: GTNPORTAL-3441
URL: https://issues.jboss.org/browse/GTNPORTAL-3441
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Tuyen Nguyen The
Assignee: Tuyen Nguyen The
* *XSS injected vector* via form's currentSelectedTab value:
*# A bad guy give victims a *link that mal-script injected into the _currentSelectedTab_*
of a tabs form to victims
*# A victim *open the link in a browser*. The browser makes a GET request to the
application server.
*# The mal-script then be loaded by application server into the infected form
object's selectedTabId attribute. And the application server response a mal-script
infected HTML content back to the browser.
*# The browser process the injected content and the script executed.
* *Problem analysis*:
*# *Screens in eXo projects* that implement the [tabs form
UIFormTabPane|https://github.com/gatein/gatein-portal/blob/master/webui/c...]
got impacted by *XSS vulnerability*.
The root cause come from getting/setting UIFormTabPane's selectedTabId attribute that
they do not have steps of validating/sanitizing input/output values:
{code}
public static String RENDER_TAB = "currentSelectedTab";
....
public void setSelectedTab(String renderTabId) {
selectedTabId = renderTabId;
}
public void setSelectedTab(int index) {
selectedTabId = ((UIComponent) getChild(index - 1)).getId();
}
public void processDecode(WebuiRequestContext context) throws Exception {
String renderTab = context.getRequestParameter(RENDER_TAB);
if (renderTab != null)
selectedTabId = renderTab;
super.processDecode(context);
}
....
public static class SelectTabActionListener extends
EventListener<UIFormTabPane> {
public void execute(Event<UIFormTabPane> event) throws Exception {
WebuiRequestContext context = event.getRequestContext();
String renderTab = context.getRequestParameter(UIComponent.OBJECTID);
if (renderTab == null)
return;
event.getSource().setSelectedTab(renderTab);
}
}
{code}
==> mal-script will be embeded into the form object
*# The flaw then *leaked* via
[UIFormTabPane.gtmpl|https://github.com/gatein/gatein-portal/blob/master/w...]
{code}
<%uiform.begin()%>
<div><input type="hidden"
id="<%=uicomponent.RENDER_TAB%>"
name="<%=uicomponent.RENDER_TAB%>"
value="$uicomponent.selectedTabId"/></div>
<div class="HorizontalLayout">
{code}
And injected form object will be *response back to the browser and being processed* by
the browser ==> script executed
For example: input this into browser
{code}
http://localhost:8080/portal/g/:organization:management:executive-board/o...
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
3933
days inactive
3933
days old
0 comments
1 participants
participants (1)
-
Tuyen Nguyen The (JIRA)