JAMWiki
  1. JAMWiki
  2. JAMWIKI-46

Web Application Cross Site Scripting in JAMWiki

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.6
    • Fix Version/s: 1.0.7
    • Labels:
    • Environment:

      Tomcat 6.0.33 on Windows 2008 R2

      Description

      I am a JAMWiki user and recently had my installation of JAMWiki scanned with the McAfeeSecure vulnerability scanner (https://www.mcafeesecure.com).

      McAfeeSecure identified a Cross Site Scripting vulnerability in JAMWiki 1.0.6. I have attached a screenshot of the XSS demonstration results.

      I would like to know if this issue can/will be fixed in the JAMWiki software.

      Description:
      The remote web application appears to be vulnerable to cross-site scripting (XSS). The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without sanitizing user input. The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions. The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

      OWASP's Cheat Sheet on XSS prevention:
      http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

      I see that you use the Spring framework. Here is an article of interest that may help you prevent XSS as well:
      http://stackoverflow.com/questions/2147958/how-do-i-prevent-people-from-doing-xss-in-java

      General Solution from McAfeeSecure:
      When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.
      Ensure that parameters and user input are sanitized by doing the following:
      Remove < input and replace with <
      Remove > input and replace with >
      Remove ' input and replace with '
      Remove " input and replace with "
      Remove ) input and replace with )
      Remove ( input and replace with (

      The demonstration of the vulnerability from McAfeeSecure:
      URL
      Protocol https
      Port 443
      Read Timeout 10000
      Method POST
      Path /wiki/en/Special:Search
      Headers Referer=https%3A%2F%2F204.180.130.113%2Fwiki%2Fen%2FWiki%2520Home%3Bjsessionid%3D16240E3DFA3BF8D0F6BC5322E604C759
      Content-Type=application%2Fx-www-form-urlencoded
      Body text=>"></title></iframe></script></form></td></tr><br><iFraMe src
      search=Search
      jumpto=Go to

        Activity

        Hide
        Ryan Holliday
        added a comment - - edited

        Revision 3727 should fix this issue, and the fix will be included in JAMWiki 1.0.7. With respect to http://stackoverflow.com/questions/2147958/how-do-i-prevent-people-from-doing-xss-in-java, I'll need to read more on that, but because wiki syntax allows script tags and HTML it may not be possible to use a global escape filter; in any case I've put this on http://jamwiki.org/wiki/en/Tech:JAMWiki_1.2 for further consideration.

        Show
        Ryan Holliday
        added a comment - - edited Revision 3727 should fix this issue, and the fix will be included in JAMWiki 1.0.7. With respect to http://stackoverflow.com/questions/2147958/how-do-i-prevent-people-from-doing-xss-in-java , I'll need to read more on that, but because wiki syntax allows script tags and HTML it may not be possible to use a global escape filter; in any case I've put this on http://jamwiki.org/wiki/en/Tech:JAMWiki_1.2 for further consideration.
        Hide
        Brian Clark
        added a comment -

        I upgraded my wiki to 1.0.7 and re-scanned with McAfee Secure. I confirm that your fix resolved the issue.

        Show
        Brian Clark
        added a comment - I upgraded my wiki to 1.0.7 and re-scanned with McAfee Secure. I confirm that your fix resolved the issue.

          People

          • Assignee:
            Ryan Holliday
            Reporter:
            Brian Clark
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: