Friday, 26 April 2019

XSS everywhere

Summary: The "Chat Room" portlet demo that ships with the Apache Pluto Tomcat bundle contains a persistent Cross-Site Scripting (XSS) vulnerability. Specifically, if an attacker can input raw HTML markup into the "Name" or "Message" input fields and submits the form, then the inputted HTML markup will be embedded in the subsequent web page.

Versions Affected:
Apache pluto 3.0.0, 3.0.1

Example:
- Start the Apache Pluto Tomcat bundle
- Visit http://localhost:8080/pluto/portal/Chat%20Room%20Demo
- In the name field, enter:
     <input type="text" value="Name field XSS></input>
- Click Submit
- In the message field, enter:
     <input type="text" value="Message field XSS></input> 
Patch:
diff --git demo/chat-room-demo-portlet/pom.xml demo/chat-room-demo-portlet/pom.xml
index e37d88ddb..1e4b2e4dd 100644
--- demo/chat-room-demo-portlet/pom.xml
+++ demo/chat-room-demo-portlet/pom.xml
@@ -43,6 +43,10 @@
    <version>6.0</version>
    <scope>provided</scope>
   </dependency>
+  <dependency>
+   <groupId>org.apache.commons</groupId>
+   <artifactId>commons-lang3</artifactId>
+  </dependency>
   <!-- for eclipse JSP tooling purposes -->
   <dependency>
    <groupId>javax.servlet.jsp</groupId>
diff --git demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java
index df82f6a4a..b9f61cf02 100644
--- demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java
+++ demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java
@@ -18,6 +18,8 @@
 
 package org.apache.portals.pluto.demo.chat;
 
+import org.apache.commons.lang3.StringEscapeUtils;
+
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -66,7 +68,7 @@ public class ChatHistory {
       StringBuilder txt = new StringBuilder(128);
       synchronized (messages) {
          for (String msg : messages) {
-            txt.append("<p>").append(msg).append("</p>\n");
+            txt.append("<p>").append(StringEscapeUtils.escapeHtml4(msg)).append("</p>\n");
          }
       }
       return txt.toString();
diff --git demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java
index 50ac6befd..6eaa6236b 100644
--- demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java
+++ demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java
@@ -19,6 +19,8 @@
 
 package org.apache.portals.pluto.demo.chat;
 
+import org.apache.commons.lang3.StringEscapeUtils;
+
 import javax.inject.Inject;
 import javax.portlet.annotations.RenderMethod;
 
@@ -48,7 +50,7 @@ public class HelloWorldRender {
       txt.append("<h3>Hello \n");
       // Get the name from the bean. If it hasn't been set, just greet the world.
       if (nameBean.getName() != null) {
-         txt.append(nameBean.getName());
+         txt.append(StringEscapeUtils.escapeHtml4(nameBean.getName()));
       } else {
          txt.append("World\n");
       }
Mitigation:
* Uninstall the ChatRoomDemo war file
- or -
* migrate to version 3.1.0 of the chat-room-demo war file

Later CVE-2019-0186 was assigned to this issue and here is the advisory from apache pluto [1] [2].
Share:

2 comments:

  1. If you are using Netgear wifi extender then you should some tips keep in your mind that there is an easy process to access your admin panel just type http://www.routerlogin.net in your browser or navigate to 192.168.0.1 to access the login screen.

    ReplyDelete
  2. Thanks for sharing. We provide full support for all your Arlo devices, including guidance for your netgear extender setup . So if you are having issues with connecting to the Wifi or configure settings on the Arlo app, then contact us using our live chat services or our email. You can also call us using our customer support phone number.

    ReplyDelete