Tuyen Nguyen The created GTNPORTAL-3441:
-------------------------------------------
Summary: XSS vulnerability in UIFormTabPane
Key: GTNPORTAL-3441
URL:
https://issues.jboss.org/browse/GTNPORTAL-3441
Project: GateIn Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Reporter: Tuyen Nguyen The
Assignee: Tuyen Nguyen The
* *XSS injected vector* via form's currentSelectedTab value:
*# A bad guy give victims a *link that mal-script injected into the _currentSelectedTab_*
of a tabs form to victims
*# A victim *open the link in a browser*. The browser makes a GET request to the
application server.
*# The mal-script then be loaded by application server into the infected form object's
selectedTabId attribute. And the application server response a mal-script infected HTML
content back to the browser.
*# The browser process the injected content and the script executed.
* *Problem analysis*:
*# *Screens in eXo projects* that implement the [tabs form
UIFormTabPane|https://github.com/exoplatform/gatein-portal/blob/3.5.x-PLF...]
got impacted by *XSS vulnerability*.
The root cause come from getting/setting UIFormTabPane's selectedTabId attribute that
they do not have steps of validating/sanitizing input/output values:
{code}
public static String RENDER_TAB = "currentSelectedTab";
....
public void setSelectedTab(String renderTabId) {
selectedTabId = renderTabId;
}
public void setSelectedTab(int index) {
selectedTabId = ((UIComponent) getChild(index - 1)).getId();
}
public void processDecode(WebuiRequestContext context) throws Exception {
String renderTab = context.getRequestParameter(RENDER_TAB);
if (renderTab != null)
selectedTabId = renderTab;
super.processDecode(context);
}
....
public static class SelectTabActionListener extends EventListener<UIFormTabPane>
{
public void execute(Event<UIFormTabPane> event) throws Exception {
WebuiRequestContext context = event.getRequestContext();
String renderTab = context.getRequestParameter(UIComponent.OBJECTID);
if (renderTab == null)
return;
event.getSource().setSelectedTab(renderTab);
}
}
{code}
==> mal-script will be embeded into the form object
*# The flaw then *leaked* via
[
UIFormTabPane.gtmpl|https://github.com/gatein/gatein-portal/blob/master/w...]
{code}
<%uiform.begin()%>
<div><input type="hidden"
id="<%=uicomponent.RENDER_TAB%>"
name="<%=uicomponent.RENDER_TAB%>"
value="$uicomponent.selectedTabId"/></div>
<div class="HorizontalLayout">
{code}
And injected form object will be *response back to the browser and being processed* by the
browser ==> script executed
For example: input this into browser
{code}
http://localhost:8080/portal/g/:organization:management:executive-board/o...
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira