Bug 510023 (CVE-2009-2405)
Summary: | CVE-2009-2405 JBoss Application Server Web Console XSS | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | bgeorges, dandread, djorm, fnasser, mschoene, patrickm, security-response-team, vdanen | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-07-29 08:19:29 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Mark J. Cox
2009-07-07 13:13:09 UTC
Created attachment 351481 [details]
A fix for the Web Console XSS issue
I was also able to reproduce this issue using EAP 4.3 CP05 and EAP 4.2 CP07.
Attached a patch:
The patch escapes HTML tags (i.e. converts "<" to "<" and ">" to ">") to make sure that the parameters to createSnapshot.jsp and createThresholdMonitor.jsp are sanitized before being displayed to the user. I will ask Dimitris to take a look at this patch.
Today, Brian and I found that our patch currently does not handle an input like: aaa" onmouseover=alert(1) " In this case, moving the mouse over the input field causes a box to pop up. We are currently working on revising our patch to deal with this case as well. Created attachment 354047 [details]
A revised fix for the Web Console XSS issue
Brian and I have revised our patch so that single quotes and double quotes in the input are also escaped (i.e. we convert "'" to "'" and """ to """). We will commit our patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk.
We have applied the patch to the JBPAPP_4_2_0_GA_CP branch, Branch_5_x, and trunk. (See: https://jira.jboss.org/jira/browse/JBPAPP-2274 and https://jira.jboss.org/jira/browse/JBAS-7105 ) I have also applied the patch to the JBPAPP_5_0 branch. (See: https://jira.jboss.org/jira/browse/JBPAPP-2284 ) This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html Statement: This flaw does not affect Red Hat JBoss Enterprise Application Platform 5 or 6. Older versions of the community JBoss Application Server 5.x may be affected. |