[jboss-jira] [JBoss JIRA] Created: (JBADMCON-150) Console's web interface is not protected against XSS attacks.

Roman Arkhangelskiy (JIRA) jira-events at jboss.com
Fri Oct 6 07:13:42 EDT 2006 

Console's web interface is not protected against XSS attacks.
-------------------------------------------------------------

                 Key: JBADMCON-150
                 URL: http://jira.jboss.com/jira/browse/JBADMCON-150
             Project: JBoss Admin Console
          Issue Type: Bug
          Components: General Console
            Reporter: Roman Arkhangelskiy


After having been run on JBoss Admin Console source code, Jtest's BugDetective feature reported a lot of places (29 speaking precisely) that make the console vulnerable to XSS attacks.

There are quite a few places where some data being obtained from servlet request are then published to a web-page without any prior validation. Such approach makes it possible for the malicious user to perform an XSS attack.
I realize that the admin console itself represents an area with the restricted access, but I can also envision a situation when the UI of the administrative module does not allow any harmful action to be performed, but it is possible to use a kind of specific http-client to construct dangerous requests. So from technical point of view any data coming from client should be validated before their further use even in restricted areas.

Below goes an example from the code:

file: console/src/resources/weconsole.war/TopicSubscriptions.jsp
At the line #86 variable 'myUrl' is being published without any prior validation. But the validation is necessary since at line #10 this variable gets tainted by its concatenation with the 'objParameter' variable which is considered tainted since its value is in fact a result of request.getParameter("ObjectName") method call.
The screenshot provided by BugDetective is attached.

Please let me know if you think this represents a real problem or BugDetective is mistaken.

Thank you!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list