[jboss-jira] [JBoss JIRA] Updated: (JBADMCON-150) Console's web interface is not protected against XSS attacks.

Roman Arkhangelskiy (JIRA) jira-events at jboss.com
Fri Oct 6 07:16:41 EDT 2006 

     [ http://jira.jboss.com/jira/browse/JBADMCON-150?page=all ]

Roman Arkhangelskiy updated JBADMCON-150:
-----------------------------------------

    Attachment: screenshot-1.jpg

> Console's web interface is not protected against XSS attacks.
> -------------------------------------------------------------
>
>                 Key: JBADMCON-150
>                 URL: http://jira.jboss.com/jira/browse/JBADMCON-150
>             Project: JBoss Admin Console
>          Issue Type: Bug
>          Components: General Console
>            Reporter: Roman Arkhangelskiy
>         Attachments: screenshot-1.jpg
>
>
> After having been run on JBoss Admin Console source code, Jtest's BugDetective feature reported a lot of places (29 speaking precisely) that make the console vulnerable to XSS attacks.
> There are quite a few places where some data being obtained from servlet request are then published to a web-page without any prior validation. Such approach makes it possible for the malicious user to perform an XSS attack.
> I realize that the admin console itself represents an area with the restricted access, but I can also envision a situation when the UI of the administrative module does not allow any harmful action to be performed, but it is possible to use a kind of specific http-client to construct dangerous requests. So from technical point of view any data coming from client should be validated before their further use even in restricted areas.
> Below goes an example from the code:
> file: console/src/resources/weconsole.war/TopicSubscriptions.jsp
> At the line #86 variable 'myUrl' is being published without any prior validation. But the validation is necessary since at line #10 this variable gets tainted by its concatenation with the 'objParameter' variable which is considered tainted since its value is in fact a result of request.getParameter("ObjectName") method call.
> The screenshot provided by BugDetective is attached.
> Please let me know if you think this represents a real problem or BugDetective is mistaken.
> Thank you!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list