Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FormTag has XSS vulnerability [SPR-10484] #15117

Closed
spring-projects-issues opened this issue Apr 24, 2013 · 2 comments
Closed

FormTag has XSS vulnerability [SPR-10484] #15117

spring-projects-issues opened this issue Apr 24, 2013 · 2 comments
Assignees
Labels
in: web

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Apr 24, 2013

Mateusz Krzeszowiec opened SPR-10484 and commented

The form tag is vulnerable to XSS through the path. Although the query string is being escaped before being printed then the path is not escaped at all. This can lead to quite easily exploitable cross site scripting issue, sample attack vector could look like:
http://yourwebsite.com/text1/notescaped/text2/?escaped=escaped
where notescaped could be: /Company" onmouseover=prompt(12345689) bad="/somethinghere

or notescaped="><script>alert('pwned');</script>

The problem can be exploited when you're NOT specifying the action attribute.

The reference URL points out the line in which the path part of the URL (requestUri, at this point without query string yet) could be escaped.


Affects: 3.0 GA, 3.1 GA, 3.2 GA

Reference URL: https://github.com/SpringSource/spring-framework/blob/3.2.x/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java#L426

Attachments:

1 votes, 4 watchers

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented May 7, 2013

Rossen Stoyanchev commented

I actually tried this and didn't manage to do it. Suppose a JSP is served by a controller mapped to "/form". First to submit a malicious URL such as /notescaped="><script>alert('pwned');</script>, the controller would have to be mapped to "/form\*/\*\*" or "/\*\*". That would be a rather unusual mapping for a form controller. Even then the resulting DOM didn't quite cause the issue. The resulting DOM didn't work as expected in Chrome and FF. See attached image.

Have you reproduced this? Could you perhaps create a small sample project.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Dec 17, 2013

Thomas Kratz commented

We have a similar vulnerability (current version is 3.0.3)
GET /newsletter.htmlde8a8"><img%20src%3da%20onerror%3dalert(1)>4fb904d29e4 HTTP/1.1

Response:

...[SNIP]...

<form ...[SNIP]... <img src=a onerror=alert(1)>ee508ea20ac" method="post" enctype="multipart/form-data">

@spring-projects-issues spring-projects-issues added type: bug in: web labels Jan 11, 2019
@spring-projects-issues spring-projects-issues removed the type: bug label Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web
Projects
None yet
Development

No branches or pull requests

2 participants