Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

XSS in server2server.jsp

Description

From the forum post:

I have found a cross-site scripting vulnerability in the server2server jsp. This page handles the Server to Server settings. The parameter vulnerable to XSS is the domain parameter. To test you can simply add a script tag in to the domain field and use a valid port number. This will get persisted as well as cause a session to be taken/cause unwanted behavior such as an alert. (Example <script> alert('XSS Vulnerability'); </script>.

We can either provide the fix by using the already existing method removeXSSCharacters in StringUtils (I see in most case people use escapeHTMLTags) or use the industry wide standard of the ESAPI jar.

Environment

None

Activity

Show:

Tom Evans May 10, 2013 at 8:12 PM

Applied input XSS filter for domain attribute on the S2S config page and performed some light testing via the admin console. Presumed fixed.

Tom Evans May 10, 2013 at 7:42 PM

My sense is that we should probably edit the domain value on input rather than output. I will take a closer look.

Daryl Herzmann May 8, 2013 at 2:38 PM

Suggested fix from community member

Server2Server.jsp -

Line 411 - <%= StringUtils.removeXSSCharacters(configuration.getDomain()) %>
Line 479 - <%= StringUtils.removeXSSCharacters(configuration.getDomain()) %>

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

Created May 7, 2013 at 6:39 PM
Updated May 10, 2013 at 8:12 PM
Resolved May 10, 2013 at 8:12 PM

Flag notifications