Bug 793517 (JBEPP-597)

Summary: XSS issue in dashboard new page creation
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Viliam Rockai <vrockai>
Component: unspecifiedAssignee: hfnukal <hfnukal>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.1.0.GA, 5.1.0.ER03CC: thanhtt, theute
Target Milestone: ---   
Target Release: 5.1.1.DEV01   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-597
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-13 12:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Viliam Rockai 2010-10-29 14:58:54 UTC 
project_key: JBEPP

this issue has two subdivisions:

1. basic page add
- login
- click on dashboard, to the "on page editor" click on the "plus" button to add new page and set "<script>alert('hi');</script>" as its name
- the javascript is now invoked

2. advanced page add
- login, go to dashboard
- click dashboard editor -> add new page
- put "whatever" to node name and "<script>alert('hi');</script>" as node description
- click next, next
- the javascript is invoked
Comment 1 Viliam Rockai 2010-10-29 14:59:23 UTC 
Security: Removed: Public Added: RHT+eXo
Comment 2 Thomas Heute 2010-11-12 08:43:14 UTC 
Tentatively set for 5.1.0 CR01
Comment 3 Thomas Heute 2010-11-12 12:20:30 UTC 
Javascript is invoked but not stored (It says just after that the title is invalid) so I don't know if it's really a security issue
Comment 4 hfnukal@redhat.com 2011-03-23 09:36:00 UTC 
Similar behavior
Comment 5 hfnukal@redhat.com 2011-03-23 09:36:00 UTC 
Link: Added: This issue is related to JBEPP-847
Comment 6 Thomas Heute 2011-04-13 09:47:04 UTC 
Link: Added: This issue is related to GTNPORTAL-1858
Comment 7 hfnukal@redhat.com 2011-04-13 12:57:12 UTC 
Release Notes Docs Status: Removed: Not Required Added: Documented as Known Issue
Release Notes Text: Added: XSS issue in dashboard new page creation
Comment 8 Thomas Heute 2011-04-13 13:04:01 UTC 
Release Notes Docs Status: Removed: Documented as Known Issue Added: Documented as Resolved Issue
Release Notes Text: Removed: XSS issue in dashboard new page creation Added: XSS issue in dashboard new page creation has been fixed so that the javascript isn't invoked anymore
Comment 9 Scott Mumford 2011-04-28 05:19:05 UTC 
Release Notes Text: Removed: XSS issue in dashboard new page creation has been fixed so that the javascript isn't invoked anymore Added: A cross-site scripting (XSS) vulnerability allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Groovy encoding methods have been added to the code to prevent this and javascript is no longer invoked.
Comment 10 Scott Mumford 2011-04-29 01:59:20 UTC 
Release Notes Docs Status: Removed: Documented as Resolved Issue Added: Needs More Info
Release Notes Text: Removed: A cross-site scripting (XSS) vulnerability allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Groovy encoding methods have been added to the code to prevent this and javascript is no longer invoked. Added: Cause: NEEDINFO What allowed the javascript to be executed? Or what what missing that would have prevented it?
Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard.
Fix:  Groovy encoding methods have been added to the code to prevent this (NEEDINFO Is this correct? What was added/removed  that stops javascript?)
Result: Javascript is no longer invoked when entered into page fields.
Comment 11 Thomas Heute 2011-04-29 07:02:55 UTC 
Release Notes Text: Removed: Cause: NEEDINFO What allowed the javascript to be executed? Or what what missing that would have prevented it?
Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard.
Fix:  Groovy encoding methods have been added to the code to prevent this (NEEDINFO Is this correct? What was added/removed  that stops javascript?)
Result: Javascript is no longer invoked when entered into page fields. Added: Cause: Name of a dashboard page entered by user was not properly encoded before being returned on the web browser.
Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard.
Fix:  The name of the page is now properly HTML encoded before being returned.
Result: Javascript is no longer invoked when entered into page fields.
Comment 12 Thomas Heute 2011-04-29 07:05:45 UTC 
Release Notes Docs Status: Removed: Needs More Info Added: Not Yet Documented
Comment 13 Scott Mumford 2011-05-03 04:11:42 UTC 
Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue
Comment 14 Michal Vanco 2011-05-03 11:46:23 UTC 
Link: Added: This issue relates to JBEPP-915
Comment 15 Scott Mumford 2011-05-04 03:59:27 UTC 
Release Notes Text: Removed: Cause: Name of a dashboard page entered by user was not properly encoded before being returned on the web browser.
Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard.
Fix:  The name of the page is now properly HTML encoded before being returned.
Result: Javascript is no longer invoked when entered into page fields. Added: The name of a dashboard page entered by user was not properly encoded before being returned on the web browser. This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. The name of the page is now properly HTML encoded before being returned and javascript is no longer invoked when entered into page fields.
Comment 16 hfnukal@redhat.com 2011-09-07 16:19:05 UTC 
Security: Removed: RHT+eXo Added: Public