Certain user management actions are vulnerable to XSS

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.2.7
Fix Version/s: 1.2.8
Component/s: web integration
Labels:
None

Number of attachments :
0

Description

The following actions in user management were reported (in Archiva list) to be vulnerable to XSS attacks:

Reflected (Non-Persistent) XSS:

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Maria Odea Ching added a comment - 26/Mar/11 10:59 PM

Fixed in -r964:

cleanse paramter value before comparing with the keywords
include 'javascript' as xss keyword
added tests

Show

Maria Odea Ching added a comment - 26/Mar/11 10:59 PM Fixed in -r964 : cleanse paramter value before comparing with the keywords include 'javascript' as xss keyword added tests

Hide

Permalink

Maria Odea Ching added a comment - 29/Mar/11 10:19 PM

Re-opening issue

Show

Maria Odea Ching added a comment - 29/Mar/11 10:19 PM Re-opening issue

Hide

Permalink

mark john magallanes added a comment - 05/Apr/11 7:49 PM

hi i proposed to modify the interceptor to check for a pattern using regular expressions cause currently it only checks for the presence of the <script> tag it should also cover the standard HTML events will upload my patch with-in 24hr

Show

mark john magallanes added a comment - 05/Apr/11 7:49 PM hi i proposed to modify the interceptor to check for a pattern using regular expressions cause currently it only checks for the presence of the <script> tag it should also cover the standard HTML events will upload my patch with-in 24hr

Hide

Permalink

Brett Porter added a comment - 05/Apr/11 10:33 PM

I think the interceptor is the wrong approach. It could easily miss something, or incorrectly trap something (e.g. a user called MrJavaScript)

Though it's burdensome, it'd be good to revise the validation for all the actions that take input that gets displayed on the page (either as an error response or as a result of being successfully stored). This can prevent the problem and tighten the error handling overall.

Show

Brett Porter added a comment - 05/Apr/11 10:33 PM I think the interceptor is the wrong approach. It could easily miss something, or incorrectly trap something (e.g. a user called MrJavaScript) Though it's burdensome, it'd be good to revise the validation for all the actions that take input that gets displayed on the page (either as an error response or as a result of being successfully stored). This can prevent the problem and tighten the error handling overall.

Hide

Permalink

mark john magallanes added a comment - 08/Apr/11 1:55 AM - edited

point taken brett revising the validation would be a better way thanks.
properly displaying the EL with <c:out /> would also help.

thanks i hope i could upload my patch soon.

Show

mark john magallanes added a comment - 08/Apr/11 1:55 AM - edited point taken brett revising the validation would be a better way thanks. properly displaying the EL with <c:out /> would also help. thanks i hope i could upload my patch soon.

Hide

Permalink

mark john magallanes added a comment - 08/Apr/11 5:08 AM

will be using the regex pattern [a-zA-Z_0-9\\s.,!?]* to check for validating user input

Show

mark john magallanes added a comment - 08/Apr/11 5:08 AM will be using the regex pattern [a-zA-Z_0-9\\s.,!?] * to check for validating user input

Hide

Permalink

Brett Porter added a comment - 09/Apr/11 12:53 AM

that won't be appropriate for every field - it probably needs to be more specific. There are probably built-in validators for the typical "letters and numbers" ones.

Show

Brett Porter added a comment - 09/Apr/11 12:53 AM that won't be appropriate for every field - it probably needs to be more specific. There are probably built-in validators for the typical "letters and numbers" ones.

Hide

Permalink

Maria Odea Ching added a comment - 12/Apr/11 11:27 AM

Committed the following changes in -r980:

applied changes in displaying user data using <c:out> and validation checks for username, fullname and rolename provided by Mark John Kennedy Magallanes (tweaked the validation fix a bit)
escape values of query string in useredit, userlist and roleedit actions that are affected by xss
added selenium tests for the validation checks and the xss affected actions

Show

Maria Odea Ching added a comment - 12/Apr/11 11:27 AM Committed the following changes in -r980 : applied changes in displaying user data using <c:out> and validation checks for username, fullname and rolename provided by Mark John Kennedy Magallanes (tweaked the validation fix a bit) escape values of query string in useredit, userlist and roleedit actions that are affected by xss added selenium tests for the validation checks and the xss affected actions

Hide

Permalink

Maria Odea Ching added a comment - 12/Apr/11 10:12 PM

Merged to trunk in -r981.

Show

Maria Odea Ching added a comment - 12/Apr/11 10:12 PM Merged to trunk in -r981.

Hide

Permalink

Maria Odea Ching added a comment - 03/May/11 3:13 AM

Additional changes made in 1.2.x branch -r1002:

removed validation for user full name so we won't have problems with i18n, xss scripts dont get executed anyway since they are escaped when rendered
updated selenium tests

Show

Maria Odea Ching added a comment - 03/May/11 3:13 AM Additional changes made in 1.2.x branch -r1002 : removed validation for user full name so we won't have problems with i18n, xss scripts dont get executed anyway since they are escaped when rendered updated selenium tests

Hide

Permalink

Maria Odea Ching added a comment - 03/May/11 4:14 AM

Additional changes merged to trunk -r1003.

Show

Maria Odea Ching added a comment - 03/May/11 4:14 AM Additional changes merged to trunk -r1003.

People

Assignee:

Maria Odea Ching

Reporter:

Maria Odea Ching

Vote (0)

Watch (0)

Dates

Created:

17/Mar/11 4:18 AM

Updated:

03/May/11 4:14 AM

Resolved:

12/Apr/11 11:30 AM