XSS weakness

Description

ReverseAjax.dwr is vulnerable to XSS. This vulnerability lies on printing the parameter "partialResponse" without any html filters.

http://foo.com/APP/dwr/call/plainpoll/ReverseAjax.dwr?batchId=1&scriptSessionId=a&page=/&partialResponse=<html><head><script type="text/javascript">alert("xss")</script></head></html>

Ignacio Garrido
Information Security Consultant
Bonsai Information Security
http://www.bonsai-sec.com/
(+54-11) 4777-3107
Gorostiaga 2355 Of. 606, Belgrano, Ciudad Autonoma de Buenos Aires, Argentina

Activity

Show:
David Marginian
February 18, 2012, 1:54 PM

You need to provide us with more details of your test. Such as what version of DWR you are using. If you are using anything other than 2.0.10 or 3.0 RC2 than you should re-run your tests. Also if you could send us the DWR configuration (web.xml).

David Marginian
February 19, 2012, 11:54 AM

This issue does not exist in 3.x or the latest 2.0.10 release. My guess is that it was resolved per but I am still investigating.

David Marginian
February 19, 2012, 1:23 PM

I verified that this vulnerability exists in 2.0.4.

I also verified that this vulnerability does not exist in 2.0.5.

David Marginian
February 20, 2012, 5:30 AM

Need to test a few more things, such as if an Exception converter is defined can the script get through to the client.

David Marginian
February 20, 2012, 3:22 PM

I completed the tests and found no issues. Closing.

Assignee

David Marginian

Reporter

Ignacio Garrido

Labels

None

Documentation Required

No

Components

Fix versions

Affects versions

Priority

Critical
Configure