Uploaded image for project: 'Causeway'
  1. Causeway
  2. CAUSEWAY-2373

Upload attachment: Preview vulnerable to XSS for html-attachments

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.17.0
    • 2.4.0, 3.4.0
    • Viewer Wicket
    • None

    Description

      First of all: I am not sure if the topic is placed here correctly as it might only affect the wicket-Dependency that isis is using. But: As the current wicket-version (7.9.0) that is used by isis is vulnerable to it, I should be relevant to you.

       

      I created the following HTML-document named xss_box.html:

      <html>
      <script language="JavaScript"> 
          window.alert("Sometext");
      </script>
      <head>
          <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
      </head>
      <body>...</body>
      </html>
      

      When selecting this document for an upload, usually a preview of the content will be shown. In this case the client uploading the file executes the javascript code and gets a modified preview content, as you can see in my attached images.

       

      I do not know if later wicket-versions (currently the newest version is 7.16.0) are protected against this threat.

       

      Attachments

        1. isis-xss-2.png
          14 kB
          Stefan Wegener
        2. isis-xss-1.png
          39 kB
          Stefan Wegener
        3. causeway-2373-exploit.html
          0.2 kB
          Daniel Keir Haywood

        Activity

          People

            Unassigned Unassigned
            stefanwegener Stefan Wegener
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: