Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xss in dotcmsV5.0.1 #15274

Closed
howchen opened this issue Sep 12, 2018 · 9 comments
Closed

xss in dotcmsV5.0.1 #15274

howchen opened this issue Sep 12, 2018 · 9 comments

Comments

@howchen
Copy link

howchen commented Sep 12, 2018

Current Behavior

dotcms V5.0.1 exists xss in /html/portlet/ext/contentlet/image_tools/index.jsp parameter "fieldName" and "inode"

Steps to Reproduce (for bugs)

just visite the url:
http://website/html/portlet/ext/contentlet/image_tools/index.jsp?fieldName=1%22%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%31%27%29%20%3e&inode=
xss

How to fix: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

@wezell wezell added this to the Cody Current milestone Sep 12, 2018
@jgambarios jgambarios self-assigned this Sep 12, 2018
jgambarios added a commit that referenced this issue Sep 13, 2018
jgambarios added a commit that referenced this issue Sep 13, 2018
@jgambarios
Copy link
Contributor

PR: #15278

@fabrizzio-dotCMS
Copy link
Contributor

Tried to access several urls under /htm/*
They all require authentication with the exceptions listed on the interceptor
The following patterns are allowed (any uri starting with):
/html/js/dojo
/html/images/backgrounds
/html/images/persona

Everything else will enforce user authentication.

Also tried opening an invalid url under /html/* and then login my self out. Once the session is closed. The url autmatically becomes restricted again.

@fabrizzio-dotCMS
Copy link
Contributor

fabrizzio-dotCMS commented Sep 18, 2018

As a side note these URLs are case sensitive.

so for example
a URL like:
http://localhost:8080/Html/portlet/ext/contentlet/image_tools/index.jsp
Will re-deirect you to a blank page
While this url
http://localhost:8080/html/portlet/ext/contentlet/image_tools/index.jsp
will take you to the actual page

Note that the first url says Html while the second one says html.
I'm passing the ticket since the old instance of dotCMS behaves the same way.

https://demo4.dotcms.com/Html/portlet/ext/contentlet/image_tools/index.jsp

@bryanboza
Copy link
Contributor

This case will affect, we need be case insensitive in that case and redirect to the correct page

@wezell
Copy link
Contributor

wezell commented Sep 20, 2018

@fabrizzio-dotCMS nice catch!

jgambarios added a commit that referenced this issue Sep 20, 2018
@jgambarios
Copy link
Contributor

PR: #15321

@bryanboza
Copy link
Contributor

Fixed, tested on master and works fine

@valentijnscholten
Copy link

Please note this issue also affects the 3.x and 4.x versions.

Looking at the commits it looks like the chosen solution is to mandate authentication for these urls. Wouldn't that leave logged in users still vulnerable?

@mattyarbrough
Copy link

This is still an issue for logged in users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants