[MAGNOLIA-590] Cross Site Scripting Vulnerability (XSS) in Search template Created: 01/Nov/05  Updated: 30/Nov/12  Resolved: 08/Mar/06

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0 Beta 1

Type: Bug Priority: Critical
Reporter: Oliver Lietz Assignee: Fabrizio Giustina
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File search.patch    
Issue Links:
relation
is related to MGNLSD-175 Cross Site Scripting Vulnerability (X... Closed
is related to MAGNOLIA-2111 Cross Site Scripting Vulnerability (X... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

file: webapp/templates/jsp/samples/search.jsp

User input/output is not escaped, attacker could inject (script) code into page and steal cookie/login information.

magnolia.info is also affected:
http://www.magnolia.info/en/search.html?query=<script>alert("XSS");</script>

This is a very simple XSS vulnerability test.



 Comments   
Comment by Oliver Lietz [ 01/Nov/05 ]

— search.jsp-822 Tue Nov 1 10:06:47 2005
+++ search.jsp Tue Nov 1 10:07:30 2005
@@ -2,7 +2,8 @@
xmlns:cms="urn:jsptld:cms-taglib"
xmlns:cmsu="urn:jsptld:cms-util-taglib"
xmlns:c="urn:jsptld:http://java.sun.com/jsp/jstl/core"

<jsp:text>
@@ -19,13 +20,13 @@
<c:import url="/templates/jsp/samples/global/columnMain.jsp" />

<form name="mgnlsearch" action=""><input id="query" name="query"

  • value="${param.query}" /> <input type="submit" name="search"
    + value="${fn:escapeXml(param.query)}" /> <input type="submit" name="search"
    value="search" /></form>

<c:if test="${!empty(param.query)}">
<h1>Search results for:</h1>

  • <h2>${param.query}</h2>
    + <h2>${fn:escapeXml(param.query)}</h2>

<cmsu:simpleSearch query="${param.query}" var="results" />

Comment by Fabrizio Giustina [ 08/Mar/06 ]

fixed in trunk (3.0) and in 2.x branch (2.1.6)

Comment by Greg Knaddison [ 30/Nov/12 ]

Is this the appropriate way to post a security issue in the Magnolia CMS or do you keep them confidential? (I believe I have found a new XSS issue).

Generated at Mon Feb 12 03:18:56 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.