Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-25811

Better handling of extra parameters on JSF UI startup page

    Details

    • Tags:
    • Backlog priority:
      700

      Description

      Extra parameters exist where a field which should be specified only once is specified multiple times, or unexpected arguments are given, or where redundant arguments with different values are given in different places. Applications and protocols must define behavior appropriate to the nature of the parameter wherever such scenarios are possible. The below request will redirect to /nuxeo?id=1. While this is not an exploitable vulnerability, a bug such as this could be leveraged to extend the previous RCE vulnerability via a very convincing phishing attack.

      Example request:

      POST /nuxeo/nxstartup.faces HTTP/1.1
      Host: collaborate-corp-beta.amazon.com
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, 
      Referer: https://collaborate-corp-beta.amazon.com/nuxeo/login2.jsp
      Connection: close
      Upgrade-Insecure-Requests: 1
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 156 
       
      user_name=kmuser&user_password=<Password_Redacted>&language=en_US&requestedUrl=nuxeo/?id=1&forc eAnonymousLogin=&form_submitted_marker=&Submit=Log+In
      

      Recommended fix

      Where parameter can be multiply specified, define an order of precedence whereby the most trusted value is used; for example, between a cookie and a query string parameter, trust the cookie. Avoid creating scenarios where redundant input from unexpected sources is possible.

      In this specific example, setting a session parameter with the contents of requestUrl, while simultaneously removing requestUrl from the POST request would effectively remediate this issue.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                PagerDuty

                Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.