Bug 793281 (JBEPP-365)

Summary: XSS in page title
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Marc Schoenefeld <mschoene>
Component: PortalAssignee: hfnukal <hfnukal>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0.0.CR01, 5.1.1.DEV01, 5.1.1.CR01CC: epp-bugs, hfnukal, mposolda, mvanco, smumford
Target Milestone: ---   
Target Release: 5.1.1.DEV02, 5.2.0.DEV02, 5.1.1.GA   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-365
Whiteboard: EPP_RN_XSS
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-02 05:56:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
epp_page_title_xss.png
none
epp_page_title_xss1_result.png
none
JBEPP-365-PageManagement.patch none

Description Marc Schoenefeld 2010-05-18 10:43:21 UTC 
project_key: JBEPP

XSS in page title 

</title><script>alert("xssed portal")</script>
Comment 2 Marc Schoenefeld 2010-05-18 10:45:23 UTC 
Attachment: Added: epp_page_title_xss.png
Attachment: Added: epp_page_title_xss1_result.png
Comment 4 mposolda 2011-07-29 08:00:56 UTC 
I am reopening because issue still exists in EPP 5.1.1.CR1
Comment 5 mposolda 2011-07-29 08:03:23 UTC 
Link: Added: This issue relates to JBQA-4899
Comment 6 hfnukal@redhat.com 2011-07-29 11:18:34 UTC 
Can you please check, where in html source of page is javascript? It is now encoded in <title> but it is probably displayed somewhere else.
Comment 7 mposolda 2011-07-29 13:01:44 UTC 
It's shown in pageManagement page after edit page.

Steps to reproduce with EPP 5.1.1.CR1:

    * Login as root
    * Go to http://localhost:8080/portal/private/classic/administration/pageManagement
    * Click on some page: Edit page -> View page properties -> Change title of page to "joo<script>alert('hello')</script>"
    * Click save -> Click finish -> Refresh page http://localhost:8080/portal/private/classic/administration/pageManagement and XSS appears.
Comment 8 mposolda 2011-07-29 14:25:41 UTC 
Unfortunately there is another place where this XSS shows. Steps to reproduce:
- Edit title of page portal::classic::homepage in page management as described in previous comment
- Go to http://localhost:8080/portal/private/classic/portalnavigation
- Click "Edit navigation" on classic portla
- Click "Add node". Now you can see alert.
Comment 9 mposolda 2011-07-29 15:38:03 UTC 
Attachment: Added: JBEPP-365-PageManagement.patch
Comment 10 mposolda 2011-07-29 15:39:50 UTC 
Attached patch JBEPP-365-PageManagement.patch for fix XSS issues from both previous comments:
https://issues.jboss.org/browse/JBEPP-365?focusedCommentId=12617532&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12617532
https://issues.jboss.org/browse/JBEPP-365?focusedCommentId=12617563&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12617563

It encodes groovy template UIRepeater.gtmpl, which is used for both PageManagement and for selecting page during edit navigation. So it covers both cases. I tested it successfully with EPP 5.1.1.CR1.
Comment 11 mposolda 2011-07-29 15:40:46 UTC 
Patch needs to be applied in project web/portal .
Comment 12 hfnukal@redhat.com 2011-08-02 05:47:45 UTC 
Link: Added: This issue relates to JBEPP-997
Comment 13 hfnukal@redhat.com 2011-09-07 16:19:04 UTC 
Security: Removed: RHT+eXo Added: Public
Comment 14 Jared MORGAN 2011-11-22 00:56:22 UTC 
Release Notes Docs Status: Added: Not Required
Comment 15 Jared MORGAN 2011-11-22 01:06:06 UTC 
Release Notes Text: Added: Cross-site scripting was present in the portal::classic::homepage. The fix encodes groovy template UIRepeater.gtmpl, which is used for both PageManagement and for selecting page during edit navigation.
Labels: Added: EPP_RN_XSS