ICEfaces
  1. ICEfaces
  2. ICE-7595

JavaScript echo through focus parameter

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: 3.0.RC1
          • Fix Version/s: 3.0, EE-1.8.2.GA_P04
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            ICEfaces

            Description


            If the ice.focus parameter is set to contain JavaScript, this may be executed on a subsequent page view.

            As mentioned in the forum post, setting ice.focus:

            ice.focus=form.starSearchClient');alert('Xss

            will allow the JavaScript to be executed because the page contains:

            Ice.focus.setFocus('form.startSearclClient');alert('Xss');

              Activity

              Descending order - Click to sort in ascending order
              Hide
              Permalink
              Mircea Toma added a comment -

              This issue was already fixed for ICEfaces 1.8 code, see ICE-5181.
              Also the code was later ported to ICEfaces 2.* and 3.*, see ICE-5881.

              Show
              Mircea Toma added a comment - This issue was already fixed for ICEfaces 1.8 code, see ICE-5181. Also the code was later ported to ICEfaces 2.* and 3.*, see ICE-5881 .
              Hide
              Permalink
              Ted Goddard added a comment -

              A similar bug may be present in ICEfaces 3.0, so some investigation is required.

              Show
              Ted Goddard added a comment - A similar bug may be present in ICEfaces 3.0, so some investigation is required.
              Hide
              Permalink
              Ted Goddard added a comment -

              The risk of this in terms of an actual cross-site scripting attack is very small: ice.focus fields are not shared between users, so if the attacker is able to set the ice.focus field, they are likely able to execute arbitrary JavaScript in the page already. It does not seem likely that an attacker could create a clickable URL containing a malicious ice.focus parameter, as the ice.focus is not a session scope attribute, it is only echoed to the view making the request (and with just a URL, the attacker does not have access to the view identifier).

              In any case, the parameter is intended to contain a component ID only, so this should be fixed.

              Show
              Ted Goddard added a comment - The risk of this in terms of an actual cross-site scripting attack is very small: ice.focus fields are not shared between users, so if the attacker is able to set the ice.focus field, they are likely able to execute arbitrary JavaScript in the page already. It does not seem likely that an attacker could create a clickable URL containing a malicious ice.focus parameter, as the ice.focus is not a session scope attribute, it is only echoed to the view making the request (and with just a URL, the attacker does not have access to the view identifier). In any case, the parameter is intended to contain a component ID only, so this should be fixed.

                People

                • Assignee:
                  Mircea Toma
                  Reporter:
                  Ted Goddard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: