Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xss in dotcmsV5.0.1 #15274

Closed
howchen opened this issue Sep 12, 2018 · 9 comments

Comments

@howchen
Copy link

@howchen howchen commented Sep 12, 2018

Current Behavior

dotcms V5.0.1 exists xss in /html/portlet/ext/contentlet/image_tools/index.jsp parameter "fieldName" and "inode"

Steps to Reproduce (for bugs)

just visite the url:
http://website/html/portlet/ext/contentlet/image_tools/index.jsp?fieldName=1%22%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%31%27%29%20%3e&inode=
xss

How to fix: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

@wezell wezell added this to the Cody Current milestone Sep 12, 2018
@jgambarios jgambarios self-assigned this Sep 12, 2018
jgambarios added a commit that referenced this issue Sep 13, 2018
jgambarios added a commit that referenced this issue Sep 13, 2018
@jgambarios

This comment has been minimized.

Copy link
Contributor

@jgambarios jgambarios commented Sep 13, 2018

PR: #15278

jgambarios added a commit that referenced this issue Sep 13, 2018
jgambarios added a commit that referenced this issue Sep 13, 2018
jgambarios added a commit that referenced this issue Sep 14, 2018
jgambarios added a commit that referenced this issue Sep 14, 2018
* #15274

* #15274

* #15274

* #15274 Codacy feedback

* #15274
jgambarios added a commit that referenced this issue Sep 14, 2018
* #15274

* #15274

* #15274

* #15274 Codacy feedback

* #15274

(cherry picked from commit 6c4c451)
@fabrizzio-dotCMS

This comment has been minimized.

Copy link
Contributor

@fabrizzio-dotCMS fabrizzio-dotCMS commented Sep 18, 2018

Tried to access several urls under /htm/*
They all require authentication with the exceptions listed on the interceptor
The following patterns are allowed (any uri starting with):
/html/js/dojo
/html/images/backgrounds
/html/images/persona

Everything else will enforce user authentication.

Also tried opening an invalid url under /html/* and then login my self out. Once the session is closed. The url autmatically becomes restricted again.

@fabrizzio-dotCMS

This comment has been minimized.

Copy link
Contributor

@fabrizzio-dotCMS fabrizzio-dotCMS commented Sep 18, 2018

As a side note these URLs are case sensitive.

so for example
a URL like:
http://localhost:8080/Html/portlet/ext/contentlet/image_tools/index.jsp
Will re-deirect you to a blank page
While this url
http://localhost:8080/html/portlet/ext/contentlet/image_tools/index.jsp
will take you to the actual page

Note that the first url says Html while the second one says html.
I'm passing the ticket since the old instance of dotCMS behaves the same way.

https://demo4.dotcms.com/Html/portlet/ext/contentlet/image_tools/index.jsp

@bryanboza

This comment has been minimized.

Copy link
Collaborator

@bryanboza bryanboza commented Sep 20, 2018

This case will affect, we need be case insensitive in that case and redirect to the correct page

@bryanboza bryanboza added Needs Work and removed Needs QA labels Sep 20, 2018
@wezell

This comment has been minimized.

Copy link
Contributor

@wezell wezell commented Sep 20, 2018

@fabrizzio-dotCMS nice catch!

jgambarios added a commit that referenced this issue Sep 20, 2018
@jgambarios

This comment has been minimized.

Copy link
Contributor

@jgambarios jgambarios commented Sep 20, 2018

PR: #15321

jgambarios added a commit that referenced this issue Sep 20, 2018
jgambarios added a commit that referenced this issue Sep 20, 2018
@bryanboza bryanboza added this to CODY in QA Sep 24, 2018
@wezell wezell closed this Sep 25, 2018
@bryanboza

This comment has been minimized.

Copy link
Collaborator

@bryanboza bryanboza commented Sep 26, 2018

Fixed, tested on master and works fine

@bryanboza bryanboza added Passed QA and removed Needs QA labels Sep 26, 2018
@bryanboza bryanboza moved this from CODY to Done in QA Sep 26, 2018
@valentijnscholten

This comment has been minimized.

Copy link

@valentijnscholten valentijnscholten commented Oct 12, 2018

Please note this issue also affects the 3.x and 4.x versions.

Looking at the commits it looks like the chosen solution is to mandate authentication for these urls. Wouldn't that leave logged in users still vulnerable?

@mattyarbrough

This comment has been minimized.

Copy link

@mattyarbrough mattyarbrough commented May 2, 2019

This is still an issue for logged in users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
QA
  
Done
7 participants
You can’t perform that action at this time.