[MGNLUI-3928] Security Problem Sample-App: Allows cross site scripting Created: 30/Jun/16  Updated: 18/Jul/16  Resolved: 15/Jul/16

Status: Closed
Project: Magnolia UI
Component/s: None
Affects Version/s: 5.3.14, 5.4.7
Fix Version/s: 5.3.16, 5.4.8

Type: Bug Priority: Major
Reporter: Christian Ringele Assignee: Antonín Juran
Resolution: Fixed Votes: 0
Labels: support
Remaining Estimate: 0d
Time Spent: 20m
Original Estimate: Not Specified

Issue Links:
causality
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Sprint: Kromeriz 52
Story Points: 1

 Description   

Try this on calling the sample app:
https://demo.magnolia-cms.com/.magnolia/admincentral#app:sample:editor;%3Cimg%20src=y%20onerror=alert(String.fromCharCode(88,83,83,32,97,116,32)+document.domain)%3E

As the sample-app is not product critical, the workaround is simple:
Exclude it from the webapp's pom.

Excluding it:
The app is Maven wise:

<dependency>
  <groupId>info.magnolia.sample</groupId>
  <artifactId>magnolia-sample-app</artifactId>
</dependency>

And is bundled via the ui project:

<dependency>
    <groupId>info.magnolia.ui</groupId>
    <artifactId>magnolia-ui-project</artifactId>
</dependency>

And in the end added/bundled into the webapp vie the enterprise webapp:

<dependency>
      <!-- Used for the Maven war:overlay -> defines the WAR's structure, the configs, web.xml etc. -->
      <groupId>info.magnolia.eebundle</groupId>
      <artifactId>magnolia-enterprise-webapp</artifactId>
      <type>war</type>
</dependency>
<dependency>
      <!-- Using the imported 'dependencyManagement' from the parent pom -->
      <groupId>info.magnolia.eebundle</groupId>
      <artifactId>magnolia-enterprise-webapp</artifactId>
      <type>pom</type>
</dependency>

How to get rid of it:

In the project's webapp pom:
The prevent that the jar is bundled anymore, exclude the artifact from the webapp using Maven exclusions:

dependency>
      <!-- Used for the Maven war:overlay -> defines the WAR's structure, the configs, web.xml etc. -->
      <groupId>info.magnolia.eebundle</groupId>
      <artifactId>magnolia-enterprise-webapp</artifactId>
      <type>war</type>
      <exclusions>
          <exclusion>
            <groupId>info.magnolia.sample</groupId>
            <artifactId>magnolia-sample-app</artifactId>
          </exclusion>
        </exclusions>
    </dependency>
    <dependency>
      <!-- Using the imported 'dependencyManagement' from the parent pom -->
      <groupId>info.magnolia.eebundle</groupId>
      <artifactId>magnolia-enterprise-webapp</artifactId>
      <type>pom</type>
      <exclusions>
          <exclusion>
            <groupId>info.magnolia.sample</groupId>
            <artifactId>magnolia-sample-app</artifactId>
          </exclusion>
        </exclusions>
    </dependency>

If you have added explicit the ui project in the webapps pom, you need to exclude the sample-app artefact also in the UI dependency.

In a live system where its already installed:
As the module does not impact anything else, its configs can be savely removed.

  • Delete the module configuration in: config:/modules/sample-app
    and Delete its registration int he UI: config:/modules/ui-admincentral/config/appLauncherLayout/groups/dev/apps/sample
    Here the groovy code you could run as groovy scripts on live instances:
    session = ctx.getJCRSession(“config”)
    session.getNode("/modules/sample-app").remove()
    session.getNode("/modules/ui-admincentral/config/appLauncherLayout/groups/dev/apps/sample").remove()
    session.save()
    
  • Shutdown the instance and remove the jar from the WEB-INF/lib
    Also ensure that it won't be re-bundleld by excluding the jar in the webapp's pom.
  • start up again.


 Comments   
Comment by Christian Ringele [ 30/Jun/16 ]

Support criteria ranking:
5 + 5 + 5 + 5 + 4 + 5 = 29

Generated at Mon Feb 12 09:11:32 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.