Details
-
Improvement
-
Resolution: Won't Fix
-
Major
-
None
-
11.10.10
-
None
-
Easy
-
N/A
-
N/A
-
Description
XWiki's stable-11.10.x branch currently has a dependency on css4j 1.0.2 in xwiki-platform-core/xwiki-platform-oldcore/pom.xml. However, that version is vulnerable to an extremely powerful DoS attack based on var() functions in malicious style sheets.
Although exploiting the vulnerability requires privileges (or XML injection) to be able to include the malicious CSS in a document, it may also be triggered from third-party CSS sources that could be linked from the page.
Despite the difficulty in triggering the bug, for peace of mind I suggest upgrading the stable-11.10.x branch to css4j 1.0.8 which has the latest security hardenings. Note that css4j is not available in Maven Central due to this:
https://groups.google.com/d/msg/css4j/op5jIoINb3M/IiiN-LfkDAAJ
so you have to manually download and deploy the packages from:
https://sourceforge.net/projects/carte/files/css4j/1.0/css4j-1.0.8.zip/download
It is worth noting that the aforementioned DoS vulnerability is known by third parties that routinely scan Github repositories to look for security vulnerabilities (searching for certain words in the commit messages, code patterns taken from OWASP and other sites, etc).
Attachments
Issue Links
- relates to
-
XWIKI-16905 Upgrade to CSS4J 2.0.0
-
- Closed
-