Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in terminal #3623

Closed
cnsgithub opened this issue Apr 30, 2018 · 2 comments
Closed

XSS in terminal #3623

cnsgithub opened this issue Apr 30, 2018 · 2 comments
Labels
🔒 security Security related issue or enhancement
Milestone
7.0

Comments

@cnsgithub
Copy link
Contributor

cnsgithub commented Apr 30, 2018
edited

1) Environment

  • PrimeFaces version: 6.3-SNAPSHOT

2) Expected behavior

Proper escaping of command handler result

3) Actual behavior

Improper escaping

4) Steps to reproduce

Go to modified showcase (http://localhost:8080/showcase/ui/misc/terminal.xhtml), enter a command and press enter. Alert containing session cookie (btw, use HttpOnly flag in showcase?) will be shown. Content will be deleted.

5) Sample XHTML

Unmodified showcase

6) Sample bean

Modified showcase:

    public String handleCommand(String command, String[] params) {
        return "foo]]></update><update id=\"CONTENTSIDE\"><![CDATA[<script>alert(document.cookie);</script>]]></update><update><![CDATA[bar";
    }

7) Mitigation

PR will follow. @tandraschko Same procedure as every time? (Schönen Brückentag noch. 🍺 )
This was referenced Apr 30, 2018
Merged
Closed
@cnsgithub
Copy link
Contributor Author

Oops, this may be a general problem with PrimePartialResponseWriter or even with PartialResponseWriter (Mojarra).

CDATA section delimiters can be injected, see https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008).

@tandraschko tandraschko added the 🔒 security Security related issue or enhancement label May 1, 2018
@cnsgithub
Copy link
Contributor Author

PR: #3628

CDATA stuff has to be examined separately in more detail.

@cnsgithub cnsgithub mentioned this issue May 2, 2018
Closed
tandraschko added a commit that referenced this issue May 2, 2018
@tandraschko
Merge pull request #3628 from cnsgithub/fixes-3623-terminal
1d6df4c 
fixes #3623 - XSS in terminal
@tandraschko tandraschko added this to the 6.3 milestone May 2, 2018
@cnsgithub cnsgithub mentioned this issue May 4, 2018
Open
@cnsgithub cnsgithub mentioned this issue Jun 21, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔒 security Security related issue or enhancement
Projects
None yet
Milestone
7.0
Development

No branches or pull requests
2 participants
@tandraschko @cnsgithub