Summary: The "Chat Room" portlet demo that ships with the Apache Pluto Tomcat bundle contains a persistent Cross-Site Scripting (XSS) vulnerability. Specifically, if an attacker can input raw HTML markup into the "Name" or "Message" input fields and submits the form, then the inputted HTML markup will be embedded in the subsequent web page.
Versions Affected:
Apache pluto 3.0.0, 3.0.1
Example:
* Uninstall the ChatRoomDemo war file
- or -
* migrate to version 3.1.0 of the chat-room-demo war file
Later CVE-2019-0186 was assigned to this issue and here is the advisory from apache pluto [1] [2].
Versions Affected:
Apache pluto 3.0.0, 3.0.1
Example:
- Start the Apache Pluto Tomcat bundle
- Visit http://localhost:8080/pluto/portal/Chat%20Room%20Demo
- In the name field, enter:
<input type="text" value="Name field XSS></input>
- Click Submit
- In the message field, enter:
<input type="text" value="Message field XSS></input>
Patch:diff --git demo/chat-room-demo-portlet/pom.xml demo/chat-room-demo-portlet/pom.xml
index e37d88ddb..1e4b2e4dd 100644
--- demo/chat-room-demo-portlet/pom.xml
+++ demo/chat-room-demo-portlet/pom.xml
@@ -43,6 +43,10 @@
<version>6.0</version>
<scope>provided</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ </dependency>
<!-- for eclipse JSP tooling purposes -->
<dependency>
<groupId>javax.servlet.jsp</groupId>
diff --git demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java
index df82f6a4a..b9f61cf02 100644
--- demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java
+++ demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/ChatHistory.java
@@ -18,6 +18,8 @@
package org.apache.portals.pluto.demo.chat;
+import org.apache.commons.lang3.StringEscapeUtils;
+
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -66,7 +68,7 @@ public class ChatHistory {
StringBuilder txt = new StringBuilder(128);
synchronized (messages) {
for (String msg : messages) {
- txt.append("<p>").append(msg).append("</p>\n");
+ txt.append("<p>").append(StringEscapeUtils.escapeHtml4(msg)).append("</p>\n");
}
}
return txt.toString();
diff --git demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java
index 50ac6befd..6eaa6236b 100644
--- demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java
+++ demo/chat-room-demo-portlet/src/main/java/org/apache/portals/pluto/demo/chat/HelloWorldRender.java
@@ -19,6 +19,8 @@
package org.apache.portals.pluto.demo.chat;
+import org.apache.commons.lang3.StringEscapeUtils;
+
import javax.inject.Inject;
import javax.portlet.annotations.RenderMethod;
@@ -48,7 +50,7 @@ public class HelloWorldRender {
txt.append("<h3>Hello \n");
// Get the name from the bean. If it hasn't been set, just greet the world.
if (nameBean.getName() != null) {
- txt.append(nameBean.getName());
+ txt.append(StringEscapeUtils.escapeHtml4(nameBean.getName()));
} else {
txt.append("World\n");
}
Mitigation:* Uninstall the ChatRoomDemo war file
- or -
* migrate to version 3.1.0 of the chat-room-demo war file
Later CVE-2019-0186 was assigned to this issue and here is the advisory from apache pluto [1] [2].