Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
After having been run on JBoss Admin Console source code, Jtest's BugDetective feature reported a lot of places (29 speaking precisely) that make the console vulnerable to XSS attacks.
There are quite a few places where some data being obtained from servlet request are then published to a web-page without any prior validation. Such approach makes it possible for the malicious user to perform an XSS attack.
I realize that the admin console itself represents an area with the restricted access, but I can also envision a situation when the UI of the administrative module does not allow any harmful action to be performed, but it is possible to use a kind of specific http-client to construct dangerous requests. So from technical point of view any data coming from client should be validated before their further use even in restricted areas.
Below goes an example from the code:
file: console/src/resources/weconsole.war/TopicSubscriptions.jsp
At the line #86 variable 'myUrl' is being published without any prior validation. But the validation is necessary since at line #10 this variable gets tainted by its concatenation with the 'objParameter' variable which is considered tainted since its value is in fact a result of request.getParameter("ObjectName") method call.
The screenshot provided by BugDetective is attached.
Please let me know if you think this represents a real problem or BugDetective is mistaken.
Thank you!