ICEfaces
  1. ICEfaces
  2. ICE-10998

'ice.window', 'ice.view' parameters vulnerable to JS injection attack

          Details

            Description

            This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only 'ice.view' parameter is vulnerable while in ICEfaces 4.* versions 'ice.view' and 'ice.window' parameters are vulnerable to JS injection attacks.

              Activity

              Ascending order - Click to sort in descending order
              Mircea Toma created issue -
              Mircea Toma made changes -
              Field Original Value New Value
              Assignee Mircea Toma [ mircea.toma ]
              Mircea Toma made changes -
              Fix Version/s EE-4.1.0.GA [ 12171 ]
              Mircea Toma made changes -
              Fix Version/s EE-3.3.0.GA_P04 [ 12270 ]
              Hide
              Permalink
              Mircea Toma added a comment -

              Verify if the received window ID is valid before creating the associated scope map. Generate a new valid ID if needed.
              Applied same strategy for ice.view parameter.

              Show
              Mircea Toma added a comment - Verify if the received window ID is valid before creating the associated scope map. Generate a new valid ID if needed. Applied same strategy for ice.view parameter.
              Mircea Toma made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #48610 Tue Apr 05 07:06:22 MDT 2016 mircea.toma ICE-10998 Verify if the received window ID is valid before creating the scope map. Also verify if the view ID parameter is valid.
              Files Changed
              Commit graph MODIFY /icefaces4/trunk/icefaces/core/src/main/java/org/icefaces/impl/application/WindowScopeManager.java
              Commit graph MODIFY /icefaces4/trunk/icefaces/core/src/main/java/org/icefaces/impl/event/BridgeSetup.java
              Ken Fyten made changes -
              Summary ice.window parameter vulnerable to JS injection 'ice.window', 'ice.view' parameters vulnerable to JS injection attack
              Security Private [ 10001 ]
              Affects Version/s 4.0 [ 11382 ]
              Affects Version/s 3.3 [ 10370 ]
              Affects Version/s 4.1.1 [ 12972 ]
              Priority Major [ 3 ] Critical [ 2 ]
              Affects Documentation (User Guide, Ref. Guide, etc.) [ 10003 ]
              Assignee Priority P1 [ 10010 ]
              Hide
              Permalink
              Ken Fyten added a comment -

              Re-opened to update description to be safe for public consumption and document specific original affected versions for each parameter.

              Show
              Ken Fyten added a comment - Re-opened to update description to be safe for public consumption and document specific original affected versions for each parameter.
              Ken Fyten made changes -
              Resolution Fixed [ 1 ]
              Status Resolved [ 5 ] Reopened [ 4 ]
              Mircea Toma made changes -
              Description Loading a page with _ice.window_ parameter defined in the URL and with its value set to JS code that starts with ' character will have this code executed in the browser. Loading a page with _ice.window_ parameter defined in the URL and with its value set to JS code that starts with ' character will have this code executed in the browser.

              This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only _ice.view_ parameter is vulnerable while ICEfaces 4.* versions _ice.view_ and _ice.window_ are vulnerable to JS injection attacks.
              Mircea Toma made changes -
              Description Loading a page with _ice.window_ parameter defined in the URL and with its value set to JS code that starts with ' character will have this code executed in the browser.

              This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only _ice.view_ parameter is vulnerable while ICEfaces 4.* versions _ice.view_ and _ice.window_ are vulnerable to JS injection attacks.               		Loading a page with _ice.window_ parameter defined in the URL and with its value set to JS code that starts with ' character will have this code executed in the browser.

              This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only _ice.view_ parameter is vulnerable while in ICEfaces 4.* versions _ice.view_ and _ice.window_ parameters are vulnerable to JS injection attacks.
              Mircea Toma made changes -
              Status Reopened [ 4 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Mircea Toma made changes -
              Description Loading a page with _ice.window_ parameter defined in the URL and with its value set to JS code that starts with ' character will have this code executed in the browser.

              This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only _ice.view_ parameter is vulnerable while in ICEfaces 4.* versions _ice.view_ and _ice.window_ parameters are vulnerable to JS injection attacks.               		Loading a page with _ice.window_ parameter defined in the URL and with its value set to JS code that starts with ' character will have this code executed in the browser.

              This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only 'ice.view' parameter is vulnerable while in ICEfaces 4.* versions 'ice.view' and 'ice.window' parameters are vulnerable to JS injection attacks.
              Mircea Toma made changes -
              Description Loading a page with _ice.window_ parameter defined in the URL and with its value set to JS code that starts with ' character will have this code executed in the browser.

              This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only 'ice.view' parameter is vulnerable while in ICEfaces 4.* versions 'ice.view' and 'ice.window' parameters are vulnerable to JS injection attacks.               		This behaviour makes ICEFaces vulnerable to Javascript injection attacks when accessed URLs contain Javascript code as parameter values. For ICEfaces 3.* versions only 'ice.view' parameter is vulnerable while in ICEfaces 4.* versions 'ice.view' and 'ice.window' parameters are vulnerable to JS injection attacks.
              Ken Fyten made changes -
              Security Private [ 10001 ]
              Hide
              Permalink
              Liana Munroe added a comment - - edited

              The Jenkins EE-3.3 maintenance branch nightly build 706 that contained the commit for this fix may have caused a regression in the showcase ace:dataTable > Row State demo on the EE-3.3 maintenance branch.

              While testing for ICE-10793 (dataTable) I came across an issue that was actually caused by the build before the commits for ICE-10793.
              When using EE-3.3.0 maintenance branch Jenkins build 706, the EE.3.3 showcase > ace:dataTable > RowState demo the demo loads incorrectly and does not function when when using any of the Selection / Visibility / Editablilty or Editing button categories. The changes checked in for build 706 were for ICE-10998. There may be other demos affected, at this point I have not yet run regressions on the ee-3.3 maintenance branch.

              This demo passes when using IF4 trunk.

              Show
              Liana Munroe added a comment - - edited The Jenkins EE-3.3 maintenance branch nightly build 706 that contained the commit for this fix may have caused a regression in the showcase ace:dataTable > Row State demo on the EE-3.3 maintenance branch. While testing for ICE-10793 (dataTable) I came across an issue that was actually caused by the build before the commits for ICE-10793 . When using EE-3.3.0 maintenance branch Jenkins build 706, the EE.3.3 showcase > ace:dataTable > RowState demo the demo loads incorrectly and does not function when when using any of the Selection / Visibility / Editablilty or Editing button categories. The changes checked in for build 706 were for ICE-10998 . There may be other demos affected, at this point I have not yet run regressions on the ee-3.3 maintenance branch. This demo passes when using IF4 trunk.
              Liana Munroe made changes -
              Resolution Fixed [ 1 ]
              Status Resolved [ 5 ] Reopened [ 4 ]
              Hide
              Permalink
              Mircea Toma added a comment -

              Fix REGEX expression used to check the ice.view parameter. The generated view IDs have only digits or letters in them without the : (colon) character (like IF4 has).

              Show
              Mircea Toma added a comment - Fix REGEX expression used to check the ice.view parameter. The generated view IDs have only digits or letters in them without the : (colon) character (like IF4 has).
              Mircea Toma made changes -
              Status Reopened [ 4 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Hide
              Permalink
              Carmen Cristurean added a comment -

              Samples and tutorial tests have been run on ICEfaces-EE-3.3.0-maintenance r.48617, and ICEfaces4 trunk r.48623.
              The changes committed for this JIRA cause the tabSet-caching tutorial to fail starting with Jenkins IF4 trunk Build# 1895, see ICE-11003.

              Show
              Carmen Cristurean added a comment - Samples and tutorial tests have been run on ICEfaces-EE-3.3.0-maintenance r.48617, and ICEfaces4 trunk r.48623. The changes committed for this JIRA cause the tabSet-caching tutorial to fail starting with Jenkins IF4 trunk Build# 1895, see ICE-11003.
              Hide
              Permalink
              Arturo Zambrano added a comment -

              ICE-11003 has now been fixed, at the app level. Please read the observations I make in my comment in that JIRA. This issue can occur in other applications, and we need to either document the workaround or prevent it with some more code.

              Show
              Arturo Zambrano added a comment - ICE-11003 has now been fixed, at the app level. Please read the observations I make in my comment in that JIRA. This issue can occur in other applications, and we need to either document the workaround or prevent it with some more code.
              Ken Fyten made changes -
              Fix Version/s EE-4.1.0.BETA [ 13072 ]
              Ken Fyten made changes -
              Issue Type Bug [ 1 ] Improvement [ 4 ]
              Ken Fyten made changes -
              Fix Version/s 4.2.BETA [ 13091 ]
              Fix Version/s 4.2 [ 12870 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Mircea Toma
                  Reporter:
                  Mircea Toma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: