Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-5181

XSS vulnerability in Seam Convesation management

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.3.1
    • Fix Version/s: 5.3.2
    • Component/s: Seam / JSF UI

      Description

      When seam retrieve the conversationId from GET params, it does not do any checks.
      In order to use the conversationId from Seam Remoting, Nuxeo dumps the conversationId in a JS script.
      This is done via a simple h:outputText.
      As stated in the documentation, h:outputText is supposed to escape any HTML content
      =>http://java.sun.com/javaee/javaserverfaces/1.1_01/docs/tlddocs/h/outputText.html

      Unfortunnaly, it does not seem to work when the <h:outputText> is inside a <script> tag.
      Even forcing the escape does not change the result.

      To reproduce, you can pass a conversionId like this : conversationId=0NXMAIN</sCrIpT><sCrIpT>alert('yo')</sCrIpT>

        Attachments

          Activity

            People

            • Assignee:
              tdelprat Thierry Delprat
              Reporter:
              tdelprat Thierry Delprat
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: