Comments (3)
@daiagou Thank you for reporting this! It would be great if you could be a bit more specific. What admin page are you sending the request header to? What pages does this happen on? What plugin are you talking about? Can you send a curl command that will replicate this?
In the future, send a security issue to [email protected] following the security policy
from moqui-framework.
I'm not able to reproduce this. I tried this curl command using as-is moqui-framework run with java -jar moqui.war (using embedded Jetty):
curl -H "X-Forwarded-Host: 1\" onerror=\"alert('Madison admin XSS Test')\">" http://localhost:8080/Login
The result is an exception from Jetty:
java.lang.IllegalArgumentException: Bad Authority
caused by: org.eclipse.jetty.http.BadMessageException: 400: Bad header value for X-Forwarded-Host
In your message to the board mailing list you mentioned deploying as a WAR file in Tomcat, perhaps Tomcat does not validate header values like this?
What is more odd is that nothing in OOTB moqui-framework or moqui-runtime would display this header value, there is no instance of the header name X-Forwarded-Host anywhere in the code, and nothing that includes header values in generated output.
In short, I'm not able to reproduce this with OOTB Moqui.
I did notice that the HTML returned by the server was generated by Jetty. If Tomcat is generating the HTML output that includes the header value, resulting in the dialog popping up, then it may an issue with Tomcat that we couldn't do anything about with Moqui... except to recommend against using whichever version of Tomcat you are using.
If you are using an older version of Tomcat I'd highly recommend updating, and for something like a Servlet Container like Tomcat or Jetty it is very important to update frequently because they are the first point of contact for web traffic and so highly sensitive to security vulnerabilities.
from moqui-framework.
We used to deploy the war package to tomcat using the "gradle addRuntime" method, which caused xss to pop up. However, according to your statement, we tried Jetty and it was true that no pop ups occurred.
Thank you so much.
from moqui-framework.
Related Issues (20)
- Connection pool issues HOT 3
- docker - moqui server not running https://moqui.local HOT 2
- CVE-2023-26049 (Medium) detected in jetty-http-10.0.13.jar HOT 1
- CVE-2023-26048 (Medium) detected in jetty-server-10.0.13.jar HOT 1
- CVE-2023-24998 (High) detected in commons-fileupload-1.4.jar HOT 1
- When entity find has pk and other conditions, only pk takes effect
- WS-2023-0236 (Low) detected in jetty-xml-10.0.13.jar, jetty-xml-10.0.15.jar - autoclosed HOT 2
- CVE-2023-34478 (Critical) detected in shiro-core-1.11.0.jar HOT 1
- Issues when using sendJsonResponse in service for rest call HOT 4
- If the parameter type of service is BigDecimal, it will be unconditionally cast. HOT 1
- After clicking "Clear Parameters" to query the order, the query results are incorrect
- After the order is unapproved, an error is reported when importing inventory HOT 1
- Catalog/Search: ordering is broken HOT 1
- Any plans to upgrade to Java 17 or Java 21? HOT 2
- 100% CPU for pressure testing database HOT 4
- Client Side Template Injection Vulnerability HOT 5
- Is jetty mode startup of Moqui not supporting HTTPS? HOT 2
- CVE-2023-46750 (Medium) detected in shiro-web-1.12.0.jar HOT 1
- Audit logs do not record deletion operations
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from moqui-framework.