• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
potential cross site scripting issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

potential cross site scripting issue

  • Subject: potential cross site scripting issue
  • From: René Bock <email@hidden>
  • Date: Wed, 03 Dec 2014 16:39:08 +0100
Hi, 

during penetration test of his WebObjects servlet installation, one of our customers found a potential XSS issue:

Deployment environment: tomcat application server + apache mod-proxy

Consider the following request:

http://custormer.serv.er/ServletContainerName/WebObjects/AppName.woa/wa/default (1)

If a malicious client changes "AppName" to something else, the following request 

http://custormer.serv.er/ServletContainerName/WebObjects/SomethingElse.woa/wa/default (2)

generates a similar response than request (1), except that in all webobjects urls  "AppName"  is replaced by "SomethingElse"



Now, if you are a bit mot malicious, you would replace AppName by

x">


et voilà, a wonderful alert panel appears (at least in FireFox)


To fix this issue, I checked that the application name provided in  the request uri matches the real application name:

Application.java:

@Override
public WOResponse dispatchRequest(WORequest aRequest) {


String uri = aRequest.uri();
String expectedApplicationPartInUri = applicationBaseURL()+"/"+name()+((nameSuffix()!=null)?nameSuffix():"")+".woa";


if(uri == null || !uri.contains(expectedApplicationPartInUri)) {
log.error("failed to dispatch request: uri ["+uri+"] does not match application name ["+expectedApplicationPartInUri+"]");
WOResponse r404 = new WOResponse();
r404.setStatus(404);
r404.setContent("The requested resource was not found on this server.");
return r404;
}


return super.dispatchRequest(aRequest);
}


Are there any suggestions to improve the code above?  Shouldn't we fix this issue in core (aka erextensions)?


Regards,

René



P.S.: for the requests above, only a classical deployment (apache + mod_webobjects) would have said: 

The requested application was not found on this server.





--
salient doremus

salient GmbH
Kontorhaus -  Lindleystraße 12
60314 Frankfurt Main

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: Reverse engineering DB
  • Next by Date: ERFileAttachment and garbage files
  • Previous by thread: Re: Reverse engineering DB
  • Next by thread: Re: potential cross site scripting issue
  • Index(es):
    • Date
    • Thread