XSS weakness
Description
ReverseAjax.dwr is vulnerable to XSS. This vulnerability lies on printing the parameter "partialResponse" without any html filters.
http://foo.com/APP/dwr/call/plainpoll/ReverseAjax.dwr?batchId=1&scriptSessionId=a&page=/&partialResponse=<html><head><script type="text/javascript">alert("xss")</script></head></html>
Ignacio Garrido
Information Security Consultant
Bonsai Information Security
http://www.bonsai-sec.com/
(+54-11) 4777-3107
Gorostiaga 2355 Of. 606, Belgrano, Ciudad Autonoma de Buenos Aires, Argentina
Activity
You need to provide us with more details of your test. Such as what version of DWR you are using. If you are using anything other than 2.0.10 or 3.0 RC2 than you should re-run your tests. Also if you could send us the DWR configuration (web.xml).
This issue does not exist in 3.x or the latest 2.0.10 release. My guess is that it was resolved per but I am still investigating.
I verified that this vulnerability exists in 2.0.4.
I also verified that this vulnerability does not exist in 2.0.5.
Need to test a few more things, such as if an Exception converter is defined can the script get through to the client.
I completed the tests and found no issues. Closing.
