Uploaded image for project: 'Spring Roo'
  1. Spring Roo
  2. ROO-3347

XSS on CookieLocaleResolver

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.2.3.RELEASE
    • Fix Version/s: None
    • Component/s: WEB MVC
    • Labels:
    • Environment:
      Weblogic server

      Description

      In my current work, I have discovered many web application using the CookieLocaleResolver and as a consequence vulnerable to reflected cross-site scripting attacks.

      It occurs because the user-controllable GET request parameter language is not properly validated. As a result, it is possible to inject arbitrary JavaScript into the application's response.

      I'm not sure if it is a Spring MVC flaw and the exact affected release.

      *EDIT*: It concerns Spring Web MVC and NOT Spring ROO but I cannot find the related component.

      Find below a real-world HTTP request and response extracted from a internal web application:

      HTPP request
      GET /*CENSORED*/test/frontoffice/welcome.do?locale=en"><script>alert(1)</script>7767e2a3bc6 HTTP/1.1
      Host: *CENSORED*:1031
      Cookie: JSESSIONID=Rv62Q9JS8CPDD1LqNMV1M77RzFBN9GVMNJBfd1WKSHgFNNDLyzS7!115391691; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en
      Connection: keep-alive
      
      HTPP response snippet
      HTTP/1.1 200 OK
      Date: Mon, 21 Jan 2013 09:24:56 GMT
      Content-Type: text/html;charset=UTF-8
      Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE= en"><script>alert(1)</script>7767e2a3bc6; expires=Sat, 08-Feb-2081 12:39:06 GMT; path=/
      Content-Language: en"><script>alert(1)</script>7767e2a3bc6
      X-Powered-By: Servlet/2.5 JSP/2.1
      (...)
      <script type="text/javascript" src="/*CENSORED*/test/frontoffice/scripts/ergonomics/jsCalendar/lang/calendar-en"><script>alert(1)</script>7767e2a3bc6.js"></script>
      

      Please find enclosed a Maven project including a Junit test with spring-webmvc and spring-test 3.2.0.RELEASE.

      Best regards

      Omar EL MANDOUR

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ramo omar elmandour
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: