Details
-
Bug
-
Resolution: Invalid
-
Minor
-
None
-
2.1.1
-
High
-
Easy
-
N/A
-
N/A
-
Description
One such example is the login feature which contains a hidden form input which takes whatever is in the parameter xredirect and puts it in the input field content.
the obvious exploit looks like this:
http://127.0.0.1:8081/xwikiTrunk/bin/login/XWiki/XWikiLogin?xredirect=%22/%3E%3Cscript%3Ealert(%27hacked%27)%3C/script%3E%3Cinput%20value=%22
Mitigation methods may include:
Make sure all form input is parsed in plain syntax.
Sign urls by appending a secret salt and hashing, then passing the hash as a parameter, when the url is tested, the hash parameter is removed and the url is passed to a verify method which appends the salt and hashes and compares to the given hash. The main drawback is it's difficult to peel off the signature correctly.
The noscript approach is to filter characters which have no business being in urls namely: " ' < > \
List of velocity templates which read values into form input fields with relivent lines and line numbers. These should be enclosed in $escapetool.html() after they are fixed, please cross them out on the list. I have crossed out the ones which are already escaped or obviously not applicable, but this list was generated with a find -exec grep command so it will have false positives.
12: <dd><input type="text" name="author" id="author" value="$context.user"/></dd>
./exportinline.vm
102: <td><input type="text" id="chwChartTitleFontSizeInput" title="$msg.get("chwfontsizetitle")" class="chwSmallInput" value="$chwdefaultsize" onfocus="window.wizard.storeValue(this.value);" onchange="if(window.wizard.validateNumber(this, 1, 128)) window.wizard.changeFont('ChartTitleFont');"/>pt
305: <td><input type="text" id="chwChartSubtitleFontSizeInput" title="$msg.get("chwfontsizetitle")" class="chwSmallInput" value="$chwdefaultsize" onfocus="window.wizard.storeValue(this.value);" onchange="if(window.wizard.validateNumber(this, 1, 128)) window.wizard.changeFont('ChartSubtitleFont');"/>pt
./chw/titlepage.vm
2: Root space name: <input type="text" name="rootSpace" value="$request.getPreferences().getValue( "rootTopic", "")" />
./portletConfig.vm
8: <dd><input type="text" id="tags" name="tags" value="$!tdoc.tags"/></dd>
96: <dd><input type="text" id="tags" name="tags" onfocus="new ajaxSuggest(this,
);" value="$!tdoc.tags"/></dd>
./tagedit.vm
31: <input type="text" name="newPageName" value="${newname}" class="panelinput withTip"/>
./renameStep1.vm
43: <input type="hidden" name="xredirect" value="${xwiki.getFormEncoded($redirect)}" />
147: <input type="hidden" name="name" value="$request.file" />
166: <input type="hidden" name="$version.fullName:$version.language" value="$version.language" />
./importinline.vm
14:<input type="hidden" name="${class.name}_nb" value="$nb" />
./edituser.vm
29: <input type="hidden" name="$param" value="$xwiki.getFormEncoded($value)"/>
./previewactions.vm
38: <input type="hidden" name="section" value="$!
{request.section}" />41: <div class="hidden"><input type="hidden" name="x-maximized" value="$!{request.get('x-maximized')}"/></div>
./edit.vm
43: <input type="hidden" id="macroname" name="macroname" value="$macroname" />
82: <input type="hidden" id="macroparam" name="macroparam" value="$macroparam" />
./macrowysiwyg.vm
13:<input type="hidden" name="template" value="$!request.template" />
19:<input type="hidden" name="xcontinue" value="$xcontinue"/>
20:<input type="hidden" name="xredirect" value="$!xredirect" />
21:<input type="hidden" name="language" value="$!tdoc.realLanguage" />
./editwysiwygnew.vm
23:<div class="hidden"><input type="hidden" name="xredirect" value="$!request.xredirect"/>
25:<input type="hidden" name="srid" value="$!request.srid"/>
./login.vm
116: <div class="hidden"><input type="hidden" name="xcontinue" value="$doc.getURL($context.action, $q)"/></div>
./editobject.vm
64:<input type="hidden" name="xredirect" value="${xwiki.getFormEncoded($redirect)}" />
./attachmentsinline.vm
16:<div class="hidden"><input type="hidden" name="xcontinue" value="$doc.getURL('edit', 'editor=class')"/></div>
./editclass.vm
60: <input type="hidden" name="id" value="$request.id"/>
62: <input type="hidden" name="xredirect" value="$request.xredirect"/>
./delete.vm
77: <input type="hidden" name="xredirect" value="${doc.getURL('view')}#Comments" />
80: <input type="hidden" name="${xCommentClass}_author" value="$context.user"/>
82: <label>$msg.get('core.viewers.comments.add.guestName.prompt') <input type="text" name="${xCommentClass}_author" value="$msg.get('core.viewers.comments.add.guestName.default')"/></label>
85: <input type="hidden" name="${xCommentClass}_replyto" value="$!{request.replyto}"/>
115: <input type="hidden" name="comment" value="$msg.get('core.viewers.comments.edit.versionComment', [${comment.number}])"/>
117: <input type="hidden" name="xredirect" value="$!{request.xredirect}">
./commentsinline.vm
472: <input type="hidden" name="App" value="$oAttach.getFilename()" />
./macros.vm
7:<input type="hidden" name="template" value="$!request.template" />
13:<input type="hidden" name="xcontinue" value="$xcontinue"/>
14:<input type="hidden" name="xredirect" value="$!xredirect" />
15:<input type="hidden" name="language" value="$!tdoc.realLanguage" />
./editwiki.vm
3:<input type="hidden" name="${class.name}_nb" value="$nb" />
./hiddenobject.vm
127: <td colspan="$colsp"><input type="hidden" name="clsname" value="$clsname" /></td>
198: <input type="hidden" name="${class.name}_nb" value="$nb" />
218: <input type="hidden" name="xcontinue" value="$xwiki.getURL("$doc", "admin", "editor=$!{request.editor}§ion=$!{request.section}
&space=$!
{request.space}")" />219: <input type="hidden" name="xredirect" value="$xwiki.getURL("$doc", "admin", "editor=$!{request.editor}§ion=$!{request.section}&space=$!{request.space}
")" />
220: <input type="hidden" name="classname" value="${class.name}" />
./rightsUI.vm
7: <input type="hidden" name="xeditaction" value="$!context.action"/>
15: <input type="hidden" name="comment" value="$!
17: $msg.get("core.comment"): <input type="text" name="comment" value="$!{request.comment}
" size="40" title="Enter a brief description of the modification" />
./editactions.vm
13:<input type="hidden" name="template" value="$!request.template" />
19:<input type="hidden" name="xcontinue" value="$xcontinue"/>
20:<input type="hidden" name="xredirect" value="$!xredirect" />
21:<input type="hidden" name="language" value="$!tdoc.realLanguage" />
./editwysiwyg.vm
46: <td>$doc.fullName <input type="hidden" name="sourcedoc" value="$doc.fullName" size="60"/></td></tr>
64: <td><input type="text" name="targetdoc" value="$!
" size="60" /></td></tr>
./copy.vm
31:<div class="hidden"><input type="hidden" name="xcontinue" value="$doc.getURL("inline")"/></div>
33:<input type="hidden" name="x-maximized" value="$!
" />
34:<input type="hidden" name="xredirect" value="$!xredirect" />
35:<input type="hidden" name="xnotification" value="$!xnotification" />
36:<input type="hidden" name="template" value="$!request.template" />
37:<input type="hidden" name="language" value="$!doc.language" />
39: <input type="hidden" name="parent" value="$xwiki.getXMLEncoded($!request.parent)" />
42: <input type="hidden" name="title" value="$xwiki.getXMLEncoded($!request.title)" />
./editinline.vm