GithubHelp home page GithubHelp logo

Xss risk about moqui-framework HOT 3 CLOSED

daiagou avatar daiagou commented on June 15, 2024
Xss risk

from moqui-framework.

Comments (3)

acetousk avatar acetousk commented on June 15, 2024

@daiagou Thank you for reporting this! It would be great if you could be a bit more specific. What admin page are you sending the request header to? What pages does this happen on? What plugin are you talking about? Can you send a curl command that will replicate this?

In the future, send a security issue to [email protected] following the security policy

from moqui-framework.

jonesde avatar jonesde commented on June 15, 2024

I'm not able to reproduce this. I tried this curl command using as-is moqui-framework run with java -jar moqui.war (using embedded Jetty):

curl -H "X-Forwarded-Host: 1\" onerror=\"alert('Madison admin XSS Test')\">" http://localhost:8080/Login

The result is an exception from Jetty:
java.lang.IllegalArgumentException: Bad Authority
caused by: org.eclipse.jetty.http.BadMessageException: 400: Bad header value for X-Forwarded-Host

In your message to the board mailing list you mentioned deploying as a WAR file in Tomcat, perhaps Tomcat does not validate header values like this?

What is more odd is that nothing in OOTB moqui-framework or moqui-runtime would display this header value, there is no instance of the header name X-Forwarded-Host anywhere in the code, and nothing that includes header values in generated output.

In short, I'm not able to reproduce this with OOTB Moqui.

I did notice that the HTML returned by the server was generated by Jetty. If Tomcat is generating the HTML output that includes the header value, resulting in the dialog popping up, then it may an issue with Tomcat that we couldn't do anything about with Moqui... except to recommend against using whichever version of Tomcat you are using.

If you are using an older version of Tomcat I'd highly recommend updating, and for something like a Servlet Container like Tomcat or Jetty it is very important to update frequently because they are the first point of contact for web traffic and so highly sensitive to security vulnerabilities.

from moqui-framework.

daiagou avatar daiagou commented on June 15, 2024

We used to deploy the war package to tomcat using the "gradle addRuntime" method, which caused xss to pop up. However, according to your statement, we tried Jetty and it was true that no pop ups occurred.
Thank you so much.

from moqui-framework.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.