[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-1064) Admin module is vulnerable to XSS attacks.

Roman Arkhangelskiy (JIRA) jira-events at jboss.com
Thu Oct 5 06:16:41 EDT 2006 

Admin module is vulnerable to XSS attacks.
------------------------------------------

                 Key: JBPORTAL-1064
                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1064
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal Core
    Affects Versions: 2.4 Final
            Reporter: Roman Arkhangelskiy
         Assigned To: Julien Viet


After having been run on JBoss-Portal 2.4.0 source code, Jtest's BugDetective feature reported a lot of places that make the 'admin' module vulnerable to XSS attacks.

There are quite a few such places in the code and it is not difficult to locate them. For example the variable named 'sCurrPath' seems to be widely used in many jsp-pages of the module, and it happens very often that it's value, having been obtained directly from ServletRequest, is displayed (or used for the initialization of forms' hidden fields) without any prior validation. Such approach makes it possible for the malicious user to perform an XSS attack.
I realize that this module represents an area with the restricted access, but I can also envision a situation when the UI of the administrative module itself does not allow any harmful action to be performed, but it is possible to use a kind of specific http-client to construct dangerous requests. So from technical point of view any data coming from client should be validated before their further use even in restricted areas.

The real-life example in file src/portal-core-war/WEB-INF/jsp/cms/admin/upload.jsp:

the value of 'sCurrPath' variable is used at line 18 while having been already 'tainted' at line 10. It is worth to track the use of all variables with this name across the entire module to see all the dangerous situations.

Please let me know if you think this represents a real problem or BugDetective is mistaken.

Thank you!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list