voyent
cross site scripting vulnerability  XML
Forum Index -> General Help
Author Message
assi333

Joined: 18/Dec/2008 00:00:00
Messages: 2
Offline


Hi All,

i have created an application using ICEfaces 1.8.2, used RAD 7.5 and the icefaces plugin for RAD 0.9.8, during a security check it was found that the application has a cross site scripting vulnerability in the ice.focus field which is not getting escaped and after submit will activate any javascript entered into the field.
i have found a bug report opened on the subject, JIRA ICE-3363 http://jira.icefaces.org/browse/ICE-3363 , which states this has been solved at the version i'm at.
Can someone help me figure out what i need to do to solve the issue?

thanks assi.
dironto

Joined: 08/Jan/2009 00:00:00
Messages: 1
Offline


We have found the same issue. And we are on icefaces 1.8.2.

This post is used:
Code:
ice.focus=form.starSearchClient');alert('Xss


and the javascript is exeuted after receiving the response:

Code:
Ice.focus.setFocus('form.startSearclClient');alert('Xss');


This needs to be solved by icefaces, should a Jira be reopened again?
Is there any way we can work around this problem quickly?
assi333

Joined: 18/Dec/2008 00:00:00
Messages: 2
Offline


Hi,

i fixed it by copying the file /com/icesoft/faces/context/effects/JavascriptContext.java into my project and correcting the methods for "applicationFocus", "focus" ,by adding a html encoding for the id field in the map method like so

public static void focus(FacesContext context, String id) {
// this method relies on XMLRenderer to create these "script" elements
if (!id.equals("")) {
Map map = context.getExternalContext().getRequestMap();
map.put(FOCUS_COMP_KEY, StringUtils.encode(id));
}
}

public static void applicationFocus(FacesContext facesContext, String id) {
if (!id.equals("")) {
Map map = facesContext.getExternalContext().getRequestMap();
map.put(FOCUS_APP_KEY, StringUtils.encode(id));
}
}

hope this helps
magellanz

Joined: 14/Dec/2011 03:12:28
Messages: 1
Offline


There is another bug report in JIRA
http://jira.icefaces.org/browse/ICE-5854

Question:
Has anybody fixed this problem for version 1.8?
ted.goddard

Joined: 26/Oct/2004 00:00:00
Messages: 874
Offline


A JIRA has been created:

http://jira.icefaces.org/browse/ICE-7595

Please contact product.support@icesoft.com if you require an immediate fix.
[Email]
mircea.toma

Joined: 10/Feb/2005 00:00:00
Messages: 323
Offline


The focus security hole was fixed a long time ago. See comment http://jira.icefaces.org/browse/ICE-7595?focusedCommentId=37730&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_37730 .
[Email]
 
Forum Index -> General Help
Go to:   
Powered by JForum 2.1.7ice © JForum Team