793281 – (JBEPP-365) XSS in page title

Bug 793281 (JBEPP-365) - XSS in page title

Summary: XSS in page title

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	JBEPP-365
Product:	JBoss Enterprise Portal Platform 5
Classification:	JBoss
Component:	Portal
Sub Component:
Version:	5.0.0.CR01,5.1.1.DEV01,5.1.1.CR01
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	5.1.1.DEV02,5.2.0.DEV02,5.1.1.GA
Assignee:	hfnukal@redhat.com
QA Contact:
Docs Contact:
URL:	http://jira.jboss.org/jira/browse/JBE...
Whiteboard:	EPP_RN_XSS
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-18 10:43 UTC by Marc Schoenefeld
Modified:	2012-02-28 16:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-02 05:56:02 UTC
Type:	Bug

Attachments	(Terms of Use)
epp_page_title_xss.png (61.85 KB, image/png) 2010-05-18 10:45 UTC, Marc Schoenefeld	no flags	Details
epp_page_title_xss1_result.png (12.91 KB, image/png) 2010-05-18 10:45 UTC, Marc Schoenefeld	no flags	Details
JBEPP-365-PageManagement.patch (1.17 KB, text/x-patch) 2011-07-29 15:38 UTC, mposolda	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	793926	high	CLOSED	XSS issue in category description	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	JBEPP-365	Minor	Closed	XSS in page title	2012-08-23 07:04:08 UTC
Red Hat Issue Tracker	JBQA-4899	Major	Closed	EPP 5.1.1 CR01 release testing	2012-08-23 07:04:09 UTC

Internal Links: 793926

Description Marc Schoenefeld 2010-05-18 10:43:21 UTC

project_key: JBEPP

XSS in page title 

</title><script>alert("xssed portal")</script>

Comment 2 Marc Schoenefeld 2010-05-18 10:45:23 UTC

Attachment: Added: epp_page_title_xss.png
Attachment: Added: epp_page_title_xss1_result.png

Comment 4 mposolda 2011-07-29 08:00:56 UTC

I am reopening because issue still exists in EPP 5.1.1.CR1

Comment 5 mposolda 2011-07-29 08:03:23 UTC

Link: Added: This issue relates to JBQA-4899

Comment 6 hfnukal@redhat.com 2011-07-29 11:18:34 UTC

Can you please check, where in html source of page is javascript? It is now encoded in <title> but it is probably displayed somewhere else.

Comment 7 mposolda 2011-07-29 13:01:44 UTC

It's shown in pageManagement page after edit page.

Steps to reproduce with EPP 5.1.1.CR1:

    * Login as root
    * Go to http://localhost:8080/portal/private/classic/administration/pageManagement
    * Click on some page: Edit page -> View page properties -> Change title of page to "joo<script>alert('hello')</script>"
    * Click save -> Click finish -> Refresh page http://localhost:8080/portal/private/classic/administration/pageManagement and XSS appears.

Comment 8 mposolda 2011-07-29 14:25:41 UTC

Unfortunately there is another place where this XSS shows. Steps to reproduce:
- Edit title of page portal::classic::homepage in page management as described in previous comment
- Go to http://localhost:8080/portal/private/classic/portalnavigation
- Click "Edit navigation" on classic portla
- Click "Add node". Now you can see alert.

Comment 9 mposolda 2011-07-29 15:38:03 UTC

Attachment: Added: JBEPP-365-PageManagement.patch

Comment 10 mposolda 2011-07-29 15:39:50 UTC

Attached patch JBEPP-365-PageManagement.patch for fix XSS issues from both previous comments:
https://issues.jboss.org/browse/JBEPP-365?focusedCommentId=12617532&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12617532
https://issues.jboss.org/browse/JBEPP-365?focusedCommentId=12617563&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12617563

It encodes groovy template UIRepeater.gtmpl, which is used for both PageManagement and for selecting page during edit navigation. So it covers both cases. I tested it successfully with EPP 5.1.1.CR1.

Comment 11 mposolda 2011-07-29 15:40:46 UTC

Patch needs to be applied in project web/portal .

Comment 12 hfnukal@redhat.com 2011-08-02 05:47:45 UTC

Link: Added: This issue relates to JBEPP-997

Comment 13 hfnukal@redhat.com 2011-09-07 16:19:04 UTC

Security: Removed: RHT+eXo Added: Public

Comment 14 Jared MORGAN 2011-11-22 00:56:22 UTC

Release Notes Docs Status: Added: Not Required

Comment 15 Jared MORGAN 2011-11-22 01:06:06 UTC

Release Notes Text: Added: Cross-site scripting was present in the portal::classic::homepage. The fix encodes groovy template UIRepeater.gtmpl, which is used for both PageManagement and for selecting page during edit navigation.
Labels: Added: EPP_RN_XSS

Note You need to log in before you can comment on or make changes to this bug.