Java Vulnerabilities « SpotTheVuln.com

Beer –XSS

Details

Affected Software:OpenFire

Fixed in Version:3.7.0b

Issue Type:XSS

Original Code: Found Here

Description

This week’s bug was an XSS vulnerability caused by the improper escaping of an HTML attribute. It’s obvious that the developers attempted to protect their software from XSS vulnerabilities. They even wrote their own XSS sanitizing method (escapeHTMLTags). The escapeHTMLTags() method is simple,strip out <and >characters and return the string. Unfortunately,this simple pattern isn’t sufficient in defending against all XSS vulnerabilities. There is a bit of tracing that is required to understand this bug,so let’s start the tracing. The bug begins with the following variable assignment:

String username = ParamUtils.getParameter(request,“username”);

The username value is assigned directly from the HTTP request. Later,the username variable is escaped using the custom escapeHTMLTags() function. The escaping occurs in the following line:

username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);

Later in the code,the escaped username value is used in the markup as part of an HTML attribute. The vulnerable line is presented below:

<input size=”15″maxlength=”50″value=”<%= (username != null ? username:“”) %>”>

The line above checks to see if the username variable has been assigned a value. If the username variable contains a value,it is displayed in the markup as the value attribute for an input field. While sanitizing the <and >characters would prevent an attacker closing the input field and starting a new html tag,it doesn’t prevent an attacker from closing off the attribute value and injecting a new HTML attribute for the input field. Some consider injection into a input field to be unexploitable (or limited to certain browsers),check out Gareth Heyes blog post about exploiting text fields with new HTML5 events http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/

Developers Solution

  public static String escapeHTMLTags(String in){ if (in == null){ return null; }  char ch; int i = 0; int last = 0; char[] input = in.toCharArray(); int len = input.length; StringBuilder out = new StringBuilder((int)(len * 1.3)); for (;i <len;i++){ ch = input[i]; if (ch >'>'){ }  else if (ch == '<'){if (i >last){out.append(input,last,i - last);} last = i + 1;out.append(LT_ENCODE); }  else if (ch == '>'){if (i >last){out.append(input,last,i - last);} last = i + 1;out.append(GT_ENCODE); }  else if (ch == '\n'){if (i >last){out.append(input,last,i - last);} last = i + 1;out.append("<br>"); }  }  if (last == 0){ return in; }  if (i >last){ out.append(input,last,i - last); }  return out.toString(); }... <snip>...<% // get parameters  String username = ParamUtils.getParameter(request,"username"); String password = ParamUtils.getParameter(request,"password"); String url = ParamUtils.getParameter(request,"url"); url = org.jivesoftware.util.StringUtils.escapeHTMLTags(url); // SSO between cluster nodes  String secret = ParamUtils.getParameter(request,"secret"); String nodeID = ParamUtils.getParameter(request,"nodeID"); String nonce = ParamUtils.getParameter(request,"nonce"); // The user auth token: AuthToken authToken = null; // Check the request/response for a login token  Map<String,String>errors = new HashMap<String,String>(); if (ParamUtils.getBooleanParameter(request,"login")){ String loginUsername = username; if (loginUsername != null){ loginUsername = JID.escapeNode(loginUsername); }  try{ if (secret != null &&nodeID != null){if (StringUtils.hash(AdminConsolePlugin.secret).equals(secret) &&ClusterManager.isClusterMember(Base64.decode(nodeID,Base64.URL_SAFE))){authToken = new AuthToken(loginUsername);} else if ("clearspace".equals(nodeID) &&ClearspaceManager.isEnabled()){ClearspaceManager csmanager = ClearspaceManager.getInstance();String sharedSecret = csmanager.getSharedSecret();if (nonce == null || sharedSecret == null || !csmanager.isValidNonce(nonce) ||   !StringUtils.hash(loginUsername + ":"+ sharedSecret + ":"+ nonce).equals(secret)){throw new UnauthorizedException("SSO failed. Invalid secret was provided");} authToken = new AuthToken(loginUsername);} else{throw new UnauthorizedException("SSO failed. Invalid secret or node ID was provided");}  }  else{// Check that a username was provided before trying to verify credentials if (loginUsername != null){if (LoginLimitManager.getInstance().hasHitConnectionLimit(loginUsername,request.getRemoteAddr())){throw new UnauthorizedException("User '"+ loginUsername +"' or address '"+ request.getRemoteAddr() + "' has his login attempt limit.");} if (!AdminManager.getInstance().isUserAdmin(loginUsername,true)){throw new UnauthorizedException("User '"+ loginUsername + "' not allowed to login.");} authToken = AuthFactory.authenticate(loginUsername,password);} else{errors.put("unauthorized",LocaleUtils.getLocalizedString("login.failed.unauthorized"));}  }... <snip>...  // Escape HTML tags in username to prevent cross-site scripting attacks. This  // is necessary because we display the username in the page below.  username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title><%= AdminConsole.getAppName() %><fmt:message key="login.title"/></title><script language="JavaScript"type="text/javascript"><!--// break out of framesif (self.parent.frames.length != 0){self.parent.location=document.location}  function updateFields(el){ if (el.checked){document.loginForm.username.disabled = true;document.loginForm.password.disabled = true; }  else{document.loginForm.username.disabled = false;document.loginForm.password.disabled = false;document.loginForm.username.focus(); }  }//--></script> <link rel="stylesheet"href="style/global.css"type="text/css"> <link rel="stylesheet"href="style/login.css"type="text/css"></head><body><form action="login.jsp"name="loginForm"method="post"><% if (url != null){try{%> <input type="hidden"name="url"value="<%= url %>"><% } catch (Exception e){Log.error(e);} } %><input type="hidden"name="login"value="true"><div align="center"> <!-- BEGIN login box --> <div id="jive-loginBox"> <div align="center"id="jive-loginTable"> <span id="jive-login-header"style="background:transparent url(images/login_logo.gif) no-repeat left;padding:29px 0 10px 205px;"> <fmt:message key="admin.console"/> </span> <div style="text-align:center;width:380px;"> <table cellpadding="0"cellspacing="0"border="0"align="center"><tr><td align="right"class="loginFormTable"><table cellpadding="2"cellspacing="0"border="0"><noscript>  <tr>  <td colspan="3">  <table cellpadding="0"cellspacing="0"border="0">  <tr valign="top"> <td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td> <td><div class="jive-error-text"style="padding-left:5px;color:#cc0000;"><fmt:message key="login.error"/></div></td>  </tr>  </table>  </td>  </tr></noscript><% if (errors.size() >0){%>  <tr>  <td colspan="3">  <table cellpadding="0"cellspacing="0"border="0"> <% for (String error:errors.values()){%>  <tr valign="top"> <td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td> <td><div class="jive-error-text"style="padding-left:5px;color:#cc0000;"><%= error%></div></td>  </tr> <% } %>  </table>  </td>  </tr><% } %><tr>+   <td><input type="text"name="username"size="15"maxlength="50"id="u01"value="<%= (username != null ? StringUtils.removeXSSCharacters(username):"") %>"></td>-   <td><input type="text"name="username"size="15"maxlength="50"id="u01"value="<%= (username != null ? username:"") %>"></td>  <td><input type="password"name="password"size="15"maxlength="50"id="p01"></td>  <td align="center"><input type="submit"value="&nbsp;<fmt:message key="login.login"/>&nbsp;"></td></tr><tr valign="top">  <td class="jive-login-label"><label for="u01"><fmt:message key="login.username"/></label></td>  <td class="jive-login-label"><label for="p01"><fmt:message key="login.password"/></label></td>  <td>&nbsp;</td></tr></table></td></tr><tr><td align="right"><div align="right"id="jive-loginVersion"><%= AdminConsole.getAppName() %>,<fmt:message key="login.version"/>:<%= AdminConsole.getVersionString() %></div></td></tr> </table> </div> </div> </div> <!-- END login box --></div></form><script language="JavaScript"type="text/javascript"><!--  if (document.loginForm.username.value == ''){ document.loginForm.username.focus(); } else{ document.loginForm.password.focus(); }//--></script></body></html>

CaddyShack – Cross Site Scripting

Details

Affected Software:WebChat Module for Jive

Fixed in Version:August of 2008

Issue Type:Cross Site Scripting

Original Code: Found Here

Description

This week’s vulnerability affected a webchat module created by Jive Software. The bug is straightforward, the JSP code takes an attacker controlled value and uses it to build dynamic HTML. Although the bug is straightforward,this week’s example was a great/simple exercise in identifying a vulnerable pattern and tracing to find other vulnerable patterns in the code. This week’s sample has three separate vulnerabilities that were all addressed via single patch. All these have similar symptoms/patterns (although the specifics are a bit different). Identifying vulnerable patterns and searching for these patterns in other places in code is an essential skill for security code auditors. Did you find all three bugs that were patched?

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

public class FormUtils {

private FormUtils() {
}

public static String createAnswers(FormField formField,HttpServletRequest request) {
final StringBuffer builder = new StringBuffer();
if (formField.getType().equals(FormField.TYPE_TEXT_SINGLE)) {
String cookieValue = getCookieValueForField(formField.getVariable(),request);
String insertValue = "";
if(ModelUtil.hasLength(cookieValue)){
insertValue = "value=\""+cookieValue+"\"";
}
- builder.append("<input type=\"text\"name=\""+ formField.getVariable() + "\""+insertValue+"style=\"width:75%\">");
+builder.append("<input type=\"text\"name=\""+ formField.getVariable() + "\""+StringUtils.escapeHTMLTags(insertValue)+"style=\"width:75%\">");
}
else if (formField.getType().equals(FormField.TYPE_TEXT_MULTI)) {
builder.append("<textarea name=\""+ formField.getVariable() + "\"cols=\"30\"rows=\"3\">");
builder.append("</textarea>");
}
else if (formField.getType().equals(FormField.TYPE_LIST_SINGLE)) {
builder.append("<select name=\""+ formField.getVariable() + "\">");
Iterator iter = formField.getOptions();
String cookieValue = ModelUtil.emptyStringIfNull(getCookieValueForField(formField.getVariable(),request));
while (iter.hasNext()) {
FormField.Option option = (FormField.Option)iter.next();
String selected = option.getValue().equals(cookieValue) ? "selected":"";
- builder.append("<option value=\""+ option.getValue() + "\""+selected+">"+ option.getLabel() + "</option>");
+builder.append("<option value=\""+ StringUtils.escapeHTMLTags(option.getValue()) + "\""+selected+">"+ option.getLabel() + "</option>");
}
builder.append("</select>");
}
else if (formField.getType().equals(FormField.TYPE_BOOLEAN)) {
Iterator iter = formField.getOptions();
int counter = 0;
while (iter.hasNext()) {
FormField.Option option = (FormField.Option)iter.next();
String value = option.getLabel();
builder.append("<input type=\"checkbox\"value=\""+ value + "\"name=\""+ formField.getVariable() + counter + "\">");
builder.append(" ");
-builder.append(value);
+builder.append(StringUtils.escapeHTMLTags(value));
builder.append("<br/>");
counter++;
}
}

CaddyShack

I asked Dalai Lama the most important question that I think you could ask –if he had ever seen Caddyshack.
-Jesse Ventura

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Drop Top - Cross Site ScriptingDrop Top –Cross Site Scripting

Details

Affected Software:Openfire by Ignite Realtime

Fixed in Version:3.6.1

Issue Type:XSS

Original Code: Found Here

Description

This is a straightforward XSS bug that affecting the Admin Console of OpenFire by Ignite Realtime/Jive software. The code fix is simple,encode a tainted URL variable before using it in markup. The URL variable is assigned an attacker controlled value here:

String url = ParamUtils.getParameter(request,“url”);

And is later used in the HTML markup here:

<input value=”<%= url %>”>

The one line fix is to encode the URL parameter,which was done here:

url = org.jivesoftware.util.StringUtils.escapeHTMLTags(url);

Looking through the code,we see that OpenFire had previously fixed an XSS vulnerability just a few lines above in the USERNAME variable. There is even comment indicating so! It surprising that the Ignite Realtime/Jive developers missed this one as it is literally two lines below the previous fix.

String username = ParamUtils.getParameter(request,“username”);
if (username != null){
username = JID.escapeNode(username);
}
// Escape HTML tags in username to prevent cross-site scripting attacks. This
// is necessary because we display the username in the page below.
username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);
String password = ParamUtils.getParameter(request,“password”);
String url = ParamUtils.getParameter(request,“url”);

The assignment of the PASSWORD variable is interesting

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283

<%!

static String go(String url) {

if (url == null) {

return "index.jsp";

}

else {

return url;

}

}

%>

<%-- Check if in setup mode --%>

<%

if (admin.isSetupMode()) {

response.sendRedirect("setup/index.jsp");

return;

}

%>

<% // get parameters

String username = ParamUtils.getParameter(request,"username");

if (username != null) {

username = JID.escapeNode(username);

}

// Escape HTML tags in username to prevent cross-site scripting attacks. This

// is necessary because we display the username in the page below.

username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);

String password = ParamUtils.getParameter(request,"password");

String url = ParamUtils.getParameter(request,"url");

+ url = org.jivesoftware.util.StringUtils.escapeHTMLTags(url);

// SSO between cluster nodes

String secret = ParamUtils.getParameter(request,"secret");

String nodeID = ParamUtils.getParameter(request,"nodeID");

String nonce = ParamUtils.getParameter(request,"nonce");

// The user auth token:

AuthToken authToken;

... SNIP ...

<html>

<head>

<title><%= AdminConsole.getAppName() %><fmt:message key="login.title"/></title>

<script language="JavaScript">



</script>

<link rel="stylesheet"href="style/global.css"type="text/css">

<link rel="stylesheet"href="style/login.css"type="text/css">

</head>

<body>

<form action="login.jsp"name="loginForm"method="post">

<% if (url != null) { try { %>

<input type="hidden"value="<%= url %>">

<% } catch (Exception e) { Log.error(e);} } %>

<input value="true">

<div align="center">



<div id="jive-loginBox">

<div align="center">

<span id="jive-login-header"style="background:transparent url(images/login_logo.gif) no-repeat left;padding:29px 0 10px 205px;">

<fmt:message key="admin.console"/>

</span>

<div style="text-align:center;width:380px;">

<table cellpadding="0"cellspacing="0"border="0"align="center">

<tr>

<td align="right">

<table cellpadding="2"cellspacing="0"border="0">

<noscript>

<tr>

<td colspan="3">

<table cellpadding="0"cellspacing="0"border="0">

<tr valign="top">

<td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td>

<td><div style="padding-left:5px;color:#cc0000;"><fmt:message key="login.error"/></div></td>

</tr>

</table>

</td>

</tr>

</noscript>

<% if (errors.size() >0) { %>

<tr>

<td colspan="3">

<table cellpadding="0"cellspacing="0"border="0">

<% for (String error:errors.values()) { %>

<tr valign="top">

<td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td>

<td><div style="padding-left:5px;color:#cc0000;"><%= error%></div></td>

</tr>

<% } %>

</table>

</td>

</tr>

<% } %>

<tr>

<td><input size="15"maxlength="50"value="<%= (username != null ? username:"") %>"></td>

<td><input size="15"maxlength="50"></td>

<td align="center"><input value=" <fmt:message key="login.login"/> "></td>

</tr>

<tr valign="top">

<td><label for="u01"><fmt:message key="login.username"/></label></td>

<td><label for="p01"><fmt:message key="login.password"/></label></td>

<td> </td>

</tr>

</table>

</td>

</tr>

<tr>

<td align="right">

<div align="right">

<%= AdminConsole.getAppName() %>,<fmt:message key="login.version"/>:<%= AdminConsole.getVersionString() %>

</div>

</td>

</tr>

</table>

</div>

</div>

</div>



</div>

</form>

<script type="text/javascript">



</script>

</body>

</html>

Drop TopDrop Top

However living better now,Gucci sweater now. Drop top BM’s,I’m the man girlfriend
-Biggie Smalls

<%!
static String go(String url) {
if (url == null) {
return "index.jsp";
}
else {
return url;
}
}
%>

<%-- Check if in setup mode --%>
<%
if (admin.isSetupMode()) {
response.sendRedirect("setup/index.jsp");
return;
}
%>

<% // get parameters
String username = ParamUtils.getParameter(request,"username");
if (username != null) {
username = JID.escapeNode(username);
}
// Escape HTML tags in username to prevent cross-site scripting attacks. This
// is necessary because we display the username in the page below.
username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);

String password = ParamUtils.getParameter(request,"password");
String url = ParamUtils.getParameter(request,"url");

// SSO between cluster nodes
String secret = ParamUtils.getParameter(request,"secret");
String nodeID = ParamUtils.getParameter(request,"nodeID");
String nonce = ParamUtils.getParameter(request,"nonce");

// The user auth token:
AuthToken authToken;

... SNIP ...
<html>
<head>
<title><%= AdminConsole.getAppName() %> <fmt:message key="login.title" /></title>
<script language="JavaScript" type="text/javascript">

</script>
<link rel="stylesheet" href="style/global.css" type="text/css">
<link rel="stylesheet" href="style/login.css" type="text/css">
</head>

<body>

<form action="login.jsp" name="loginForm" method="post">

<% if (url != null) { try { %>

<input type="hidden" name="url" value="<%= url %>">

<% } catch (Exception e) { Log.error(e); } } %>

<input type="hidden" name="login" value="true">

<div align="center">

<div id="jive-loginBox">

<div align="center" id="jive-loginTable">

<span id="jive-login-header" style="background:transparent url(images/login_logo.gif) no-repeat left;padding:29px 0 10px 205px;">
<fmt:message key="admin.console" />
</span>

<div style="text-align:center;width:380px;">
<table cellpadding="0" cellspacing="0" border="0" align="center">
<tr>
<td align="right" class="loginFormTable">

<table cellpadding="2" cellspacing="0" border="0">
<noscript>
<tr>
<td colspan="3">
<table cellpadding="0" cellspacing="0" border="0">
<tr valign="top">
<td><img src="images/error-16x16.gif" width="16" height="16" border="0" alt="" vspace="2"></td>
<td><div class="jive-error-text" style="padding-left:5px;color:#cc0000;"><fmt:message key="login.error" /></div></td>
</tr>
</table>
</td>
</tr>
</noscript>
<% if (errors.size() > 0) { %>
<tr>
<td colspan="3">
<table cellpadding="0" cellspacing="0" border="0">
<% for (String error:errors.values()) { %>
<tr valign="top">
<td><img src="images/error-16x16.gif" width="16" height="16" border="0" alt="" vspace="2"></td>
<td><div class="jive-error-text" style="padding-left:5px;color:#cc0000;"><%= error%></div></td>
</tr>
<% } %>
</table>
</td>
</tr>
<% } %>
<tr>
<td><input type="text" name="username" size="15" maxlength="50" id="u01" value="<%= (username != null ? username:"") %>"></td>
<td><input type="password" name="password" size="15" maxlength="50" id="p01"></td>
<td align="center"><input type="submit" value=" <fmt:message key="login.login"/> "></td>
</tr>
<tr valign="top">
<td class="jive-login-label"><label for="u01"><fmt:message key="login.username" /></label></td>
<td class="jive-login-label"><label for="p01"><fmt:message key="login.password" /></label></td>
<td> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td align="right">
<div align="right" id="jive-loginVersion">
<%= AdminConsole.getAppName() %>,<fmt:message key="login.version" />: <%= AdminConsole.getVersionString() %>
</div>
</td>
</tr>
</table>
</div>
</div>

</div>

</div>

</form>

<script language="JavaScript" type="text/javascript">

</script>

</body>
</html>

<%–
-   $RCSfile$
-   $Revision:10667 $
-   $Date:2008-07-14 14:14:29 -0500 (Mon,14 Jul2008) $
–%>

<%@ page import=”org.jivesoftware.admin.AdminConsole,

org.jivesoftware.openfire.admin.AdminManager”
errorPage=”error.jsp”
%>
<%@ page

import=”org.jivesoftware.openfire.clearspace.Clearspa

ceManager”%>
<%@ page

import=”org.jivesoftware.openfire.cluster.ClusterMana

ger”%>
<%@ page

import=”org.jivesoftware.openfire.container.AdminCons

olePlugin”%>
<%@ page import=”org.xmpp.packet.JID”%>
<%@ page import=”org.jivesoftware.openfire.auth.*”%>
<%@ page import=”java.util.HashMap”%>
<%@ page import=”java.util.Map”%>
<%@ page import=”org.jivesoftware.util.*”%>

<%@ taglib uri=”http://java.sun.com/jstl/core_rt”

prefix=”c”%>
<%@ taglib uri=”http://java.sun.com/jstl/fmt_rt”

prefix=”fmt”%>

<%–Define Administration Bean –%>
<jsp:useBean id=”admin”

class=”org.jivesoftware.util.WebManager” />
<% admin.init(request,response,session,

application,out );%>

<%!
static String go(String url){
if (url == null){
return “index.jsp”;
}
else{
return url;
}
}
%>

<%–Check if in setup mode –%>
<%
if (admin.isSetupMode()){
response.sendRedirect(“setup/index.jsp”);
return;
}
%>

<% // get parameters
String username = ParamUtils.getParameter

(request,“username”);
if (username != null){
username = JID.escapeNode(username);
}
// Escape HTML tags in username to prevent

cross-site scripting attacks. This
// is necessary because we display the username

in the page below.
username =

org.jivesoftware.util.StringUtils.escapeHTMLTags

(username);

String password = ParamUtils.getParameter

(request,“password”);
String url = ParamUtils.getParameter(request,

“url”);

// SSO between cluster nodes
String secret = ParamUtils.getParameter(request,

“secret”);
String nodeID = ParamUtils.getParameter(request,

“nodeID”);
String nonce = ParamUtils.getParameter(request,

“nonce”);

// The user auth token:
AuthToken authToken;

// Check the request/response for a login token

Map<String,String>errors = new HashMap<String,

String>();

if (ParamUtils.getBooleanParameter(request,

“login”)){
try{
if (!AdminManager.getInstance

().isUserAdmin(username,true)){
throw new UnauthorizedException(“User

‘”+ username + “‘not allowed to login.”);
}
if (secret != null &&nodeID != null){
if (StringUtils.hash

(AdminConsolePlugin.secret).equals(secret) &&

ClusterManager.isClusterMember(Base64.decode(nodeID,

Base64.URL_SAFE))){
authToken = new AuthToken

(username);
}
else if (“clearspace”.equals(nodeID)

&&ClearspaceManager.isEnabled()){
ClearspaceManager csmanager =

ClearspaceManager.getInstance();
String sharedSecret =

csmanager.getSharedSecret();
if (nonce == null || sharedSecret

== null || !csmanager.isValidNonce(nonce) ||
!StringUtils.hash

(username + “:”+ sharedSecret + “:”+ nonce).equals

(secret)){
throw new

UnauthorizedException(“SSO failed. Invalid secret was

provided”);
}
authToken = new AuthToken

(username);
}
else{
throw new UnauthorizedException

(“SSO failed. Invalid secret or node ID was

provided”);
}
}
else{
authToken = AuthFactory.authenticate

(username,password);
}
session.setAttribute

(“jive.admin.authToken”,authToken);
response.sendRedirect(go(url));
return;
}
catch (ConnectionException ue){
Log.debug(ue);
if (ClearspaceManager.isEnabled()){
if (session.getAttribute

(“prelogin.setup.error.firstTime.connection”) !=

null){
session.removeAttribute

(“prelogin.setup.error.firstTime.connection”);
session.setAttribute

(“prelogin.setup.error”,

“prelogin.setup.error.clearspace.connection”);
session.setAttribute

(“prelogin.setup.sidebar”,“true”);
session.setAttribute

(“prelogin.setup.sidebar.title”,

“prelogin.setup.sidebar.title.clearspace”);
session.setAttribute

(“prelogin.setup.sidebar.link”,“clearspace-

integration-prelogin.jsp”);
response.sendRedirect(go

(“setup/clearspace-integration-prelogin.jsp”));
} else{
session.setAttribute

(“prelogin.setup.error.firstTime.connection”,true);
errors.put(“connection”,

LocaleUtils.getLocalizedString

(“login.failed.connection.clearspace”));
}
} else{
errors.put(“connection”,

LocaleUtils.getLocalizedString

(“login.failed.connection”));
}
}
catch (InternalUnauthenticatedException ue){
Log.debug(ue);
if (ClearspaceManager.isEnabled()){
if (session.getAttribute

(“prelogin.setup.error.firstTime.sharedsecret”) !=

null){
session.removeAttribute

(“prelogin.setup.error.firstTime.sharedsecret”);
session.setAttribute

(“prelogin.setup.error”,

“prelogin.setup.error.clearspace.sharedsecret”);
session.setAttribute

(“prelogin.setup.sidebar”,“true”);
session.setAttribute

(“prelogin.setup.sidebar.title”,

“prelogin.setup.sidebar.title.clearspace”);
session.setAttribute

(“prelogin.setup.sidebar.link”,“clearspace-

integration-prelogin.jsp”);
response.sendRedirect(go

(“setup/clearspace-integration-prelogin.jsp”));
} else{
session.setAttribute

(“prelogin.setup.error.firstTime.sharedsecret”,

true);
errors.put(“authentication”,

LocaleUtils.getLocalizedString

(“login.failed.authentication.clearspace”));
}
} else{
errors.put(“authentication”,

LocaleUtils.getLocalizedString

(“login.failed.authentication”));
}
}
catch (UnauthorizedException ue){
Log.debug(ue);
errors.put(“unauthorized”,

LocaleUtils.getLocalizedString

(“login.failed.unauthorized”));
}
}
%>

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01

Transitional//EN”>

<fmt:message key=”login.title”/></title>
<script language=”JavaScript”

type=”text/javascript”>
<!–
// break out of frames
if (self.parent.frames.length != 0){

self.parent.location=document.location;
}
function updateFields(el){
if (el.checked){
document.loginForm.username.disabled

= true;
document.loginForm.password.disabled

= true;
}
else{
document.loginForm.username.disabled

= false;
document.loginForm.password.disabled

= false;
document.loginForm.username.focus();
}
}
//–>
</script>
<link rel=”stylesheet”href=”style/global.css”

type=”text/css”>
<link rel=”stylesheet”href=”style/login.css”

type=”text/css”>
</head>

<body>

<form action=”login.jsp”name=”loginForm”

method=”post”>

<% if (url != null){try{%>

<input type=”hidden”name=”url”value=”<%= url

%>”>

<% } catch (Exception e){Log.error(e);} } %>

<span id=”jive-login-header”

style=”background:transparent url

(images/login_logo.gif) no-repeat left;padding:29px

0 10px 205px;”>
<fmt:message key=”admin.console”/>
</span>

<div style=”text-align:center;width:

380px;”>
<table cellpadding=”0″cellspacing=”0″

border=”0″align=”center”>
<tr>
<td align=”right”

class=”loginFormTable”>

<table cellpadding=”2″

cellspacing=”0″border=”0″>
<noscript>
<tr>
<td colspan=”3″>
<table

cellpadding=”0″cellspacing=”0″border=”0″>
<tr valign=”top”>
<td><img

src=”images/error-16×16.gif”width=”16″height=”16″

border=”0″alt=”" vspace=”2″></td>
<td><div

class=”jive-error-text”style=”padding-left:5px;

color:#cc0000;”><fmt:message key=”login.error”

/></div></td>
</tr>
</table>
</td>
</tr>
</noscript>
<% if (errors.size() >0){

%>
<tr>
<td colspan=”3″>
<table

cellpadding=”0″cellspacing=”0″border=”0″>
<% for

(String error:errors.values()){%>
<tr valign=”top”>
<td><img

src=”images/error-16×16.gif”width=”16″height=”16″

border=”0″alt=”" vspace=”2″></td>
<td><div

class=”jive-error-text”style=”padding-left:5px;

color:#cc0000;”><%= error%></div></td>
</tr>
<% } %>
</table>
</td>
</tr>
<% } %>
<tr>
<td><input type=”text”

name=”username”size=”15″maxlength=”50″id=”u01″

value=”<%= (username != null ? username:“”)

%>”></td>
<td><input

type=”password”name=”password”size=”15″

maxlength=”50″id=”p01″></td>
<td align=”center”><input

type=”submit”value=” <fmt:message

key=”login.login”/> ”></td>
</tr>
<tr valign=”top”>
<td class=”jive-login-

label”><label for=”u01″><fmt:message

key=”login.username”/></label></td>
<td class=”jive-login-

label”><label for=”p01″><fmt:message

key=”login.password”/></label></td>
<td> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td align=”right”>
<div align=”right”id=”jive-

loginVersion”>
<%= AdminConsole.getAppName()

%>,<fmt:message key=”login.version”/>:<%=

AdminConsole.getVersionString() %>
</div>
</td>
</tr>
</table>
</div>
</div>

</div>
<!–END login box –>
</div>

</form>

</body>
</html>

Weird Clothes – Cross Site Scripting

Details

Affected Software:Openfire by Ignite Realtime

Fixed in Version:3.6.3

Issue Type:XSS

Original Code: Found Here

Description

XSS bug in Openfire by Ignite Realtime. Openfire is an Open Source,real time collaboration server. The bug is very straightforward and a simple string like the one presented below takes advantage of the vulnerability.

http://www.example.com/group-summary.jsp?search=%22%3E%3C[xss]

This bug was actually part of a number of security bugs reported by Core Security Technologies. You can read their advisory here.

The patch simply HTML encodes the tainted search parameter…

Developers Solution

<%  // Get parameters
int start = ParamUtils.getIntParameter(request,"start",0);
int range = ParamUtils.getIntParameter(request,"range",webManager.getRowsPerPage("group-summary", 15));

if (request.getParameter("range") != null) {
webManager.setRowsPerPage("group-summary", range);
}

int groupCount = webManager.getGroupManager().getGroupCount();
Collection<Group> groups = webManager.getGroupManager().getGroups(start, range);

String search = null;
if (webManager.getGroupManager().isSearchSupported() && request.getParameter("search") != null
&& !request.getParameter("search").trim().equals(""))
{
search = request.getParameter("search");
+   // Santize variables to prevent vulnerabilities
+   search = StringUtils.escapeHTMLTags(search);

// Use the search terms to get the list of groups and group count.
groups = webManager.getGroupManager().search(search, start, range);
// Get the count as a search for *all* groups. That will let us do pagination even
// though it's a bummer to execute the search twice.
groupCount = webManager.getGroupManager().search(search).size();
}

// paginator vars
int numPages = (int)Math.ceil((double)groupCount/(double)range);
int curPage = (start/range) + 1;
%>

<%  if (request.getParameter("deletesuccess") != null) { %>

<div class="jive-success">
<table cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr><td class="jive-icon"><img src="images/success-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="group.summary.delete_group" />
</td></tr>
</tbody>
</table>
</div><br>

<%  } %>

<% if (webManager.getGroupManager().isSearchSupported()) { %>

<form action="group-summary.jsp" method="get" name="searchForm">
<table border="0" width="100%" cellpadding="0" cellspacing="0">
<tr>
<td valign="bottom">
<fmt:message key="group.summary.total_group" /> <b><%= groupCount %></b>
<%  if (numPages > 1) { %>

, <fmt:message key="global.showing" /> <%= LocaleUtils.getLocalizedNumber(start+1) %>-<%= LocaleUtils.getLocalizedNumberstartrange > groupCount ? groupCount:start+range) %>

<%  } %>
</td>
<td align="right" valign="bottom">
<fmt:message key="group.summary.search" />: <input type="text" size="30" maxlength="150" name="search" value="<%= ((search!=null) ? search : "") %>">
</td>
</tr>
</table>
</form>

<script language="JavaScript" type="text/javascript">
document.searchForm.search.focus();
</script>

<% }
// Otherwise, searching is not supported.
else {
%>
<p>
<fmt:message key="group.summary.total_group" /> <b><%= groupCount %></b>
<%  if (numPages > 1) { %>

, <fmt:message key="global.showing" /> <%= (start+1) %>-<%= (start+range) %>

<%  } %>
</p>
<% } %>

<%  if (numPages > 1) { %>

<p>
<fmt:message key="global.pages" />
[
<%  for (int i=0; i<numPages; i++) {
String sep = ((i+1)<numPages) ? " " : "";
boolean isCurrent = (i+1) == curPage;
%>
<a href="group-summary.jsp?start=<%= (i*range) %><%= search!=null? "&search=" + URLEncoder.encode(search, "UTF-8") : ""%>"
class="<%= ((isCurrent) ? "jive-current" : "") %>"
><%= (i+1) %></a><%= sep %>

<%  } %>
]
</p>

Weird Clothes

Nothing separates the generations more than music. By the time a child is eight or nine,he has developed a passion for his own music that is even stronger than his passions for procrastination and weird clothes.
-Bill Cosby

<%  // Get parameters
int start = ParamUtils.getIntParameter(request,"start",0);
int range = ParamUtils.getIntParameter(request,"range",webManager.getRowsPerPage("group-summary", 15));

if (request.getParameter("range") != null) {
webManager.setRowsPerPage("group-summary", range);
}

int groupCount = webManager.getGroupManager().getGroupCount();
Collection<Group> groups = webManager.getGroupManager().getGroups(start, range);

String search = null;
if (webManager.getGroupManager().isSearchSupported() && request.getParameter("search") != null
&& !request.getParameter("search").trim().equals(""))
{
search = request.getParameter("search");
// Use the search terms to get the list of groups and group count.
groups = webManager.getGroupManager().search(search, start, range);
// Get the count as a search for *all* groups. That will let us do pagination even
// though it's a bummer to execute the search twice.
groupCount = webManager.getGroupManager().search(search).size();
}

// paginator vars
int numPages = (int)Math.ceil((double)groupCount/(double)range);
int curPage = (start/range) + 1;
%>

<%  if (request.getParameter("deletesuccess") != null) { %>

<div class="jive-success">
<table cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr><td class="jive-icon"><img src="images/success-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="group.summary.delete_group" />
</td></tr>
</tbody>
</table>
</div><br>

<%  } %>

<% if (webManager.getGroupManager().isSearchSupported()) { %>

<form action="group-summary.jsp" method="get" name="searchForm">
<table border="0" width="100%" cellpadding="0" cellspacing="0">
<tr>
<td valign="bottom">
<fmt:message key="group.summary.total_group" /> <b><%= groupCount %></b>
<%  if (numPages > 1) { %>

, <fmt:message key="global.showing" /> <%= LocaleUtils.getLocalizedNumber(start+1) %>-<%= LocaleUtils.getLocalizedNumberstartrange > groupCount ? groupCount:start+range) %>

<%  } %>
</td>
<td align="right" valign="bottom">
<fmt:message key="group.summary.search" />: <input type="text" size="30" maxlength="150" name="search" value="<%= ((search!=null) ? search : "") %>">
</td>
</tr>
</table>
</form>

<script language="JavaScript" type="text/javascript">
document.searchForm.search.focus();
</script>

<% }
// Otherwise, searching is not supported.
else {
%>
<p>
<fmt:message key="group.summary.total_group" /> <b><%= groupCount %></b>
<%  if (numPages > 1) { %>

, <fmt:message key="global.showing" /> <%= (start+1) %>-<%= (start+range) %>

<%  } %>
</p>
<% } %>

<%  if (numPages > 1) { %>

<p>
<fmt:message key="global.pages" />
[
<%  for (int i=0; i<numPages; i++) {
String sep = ((i+1)<numPages) ? " " : "";
boolean isCurrent = (i+1) == curPage;
%>
<a href="group-summary.jsp?start=<%= (i*range) %><%= search!=null? "&search=" + URLEncoder.encode(search, "UTF-8") : ""%>"
class="<%= ((isCurrent) ? "jive-current" : "") %>"
><%= (i+1) %></a><%= sep %>

<%  } %>
]
</p>

Meaningless - LDAP InjectionMeaningless – LDAP Injection

Details

Affected Software:Apache Shiro Project

Fixed in Version:Revision 887987

Issue Type:LDAP Injection

Original Code: Found Here

Description

This patch fixes a LDAP injection vulnerability in the Apache Shiro Project. A quick glance of the vulnerable code shows several references to LDAP and LDAP queries scattered throughout the sample code. In this example,we see that the Shiro developers originally used the username to dynamically build a LDAP query. The symptoms are very similar to a typical SQL injection. The username is used in a string building technique to build the LDAP query which eventually gets passed to an LDAP server. If an attacker crafts the proper username,they could have the ability to modify the original LDAP query and execute an arbitrary LDAP query of their choosing.

Just as the symptoms are very similar to SQL injection,the fix also looks very similar to code that would be used to fix a SQL injection vulnerability. The developers helped the application make a distinction between code and data by removing the string built LDAP query

Developers Solution

<div id="_mcePaste">

protected AuthorizationInfo buildAuthorizationInfo(Set<String>roleNames) {

return new SimpleAuthorizationInfo(roleNames);

}

private Set<String>getRoleNamesForUser(String username,LdapContext ldapContext) throws NamingException {

Set<String>roleNames;

roleNames = new LinkedHashSet<String>();

SearchControls searchCtls = new SearchControls();

searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

String userPrincipalName = username;

if (principalSuffix != null) {

userPrincipalName += principalSuffix;

}

- String searchFilter = "(&(objectClass=*)(userPrincipalName="+ userPrincipalName + "))";

+ //SHIRO-115 - prevent potential code injection:

+ String searchFilter = "(&(objectClass=*)(userPrincipalName={0}))";

+ Object[] searchArguments = new Object[]{userPrincipalName};

- NamingEnumeration answer = ldapContext.search(searchBase,searchFilter,searchCtls);

+ NamingEnumeration answer = ldapContext.search(searchBase,searchFilter,searchArguments,searchCtls);

while (answer.hasMoreElements()) {

SearchResult sr = (SearchResult) answer.next();

if (log.isDebugEnabled()) {

log.debug("Retrieving group names for user ["+ sr.getName() + "]");

}

Attributes attrs = sr.getAttributes();

if (attrs != null) {

NamingEnumeration ae = attrs.getAll();

while (ae.hasMore()) {

Attribute attr = (Attribute) ae.next();

if (attr.getID().equals("memberOf")) {

Collection<String>groupNames = LdapUtils.getAllAttributeValues(attr);

if (log.isDebugEnabled()) {

log.debug("Groups found for user ["+ username + "]:"+ groupNames);

}

Collection<String>rolesForGroups = getRoleNamesForGroups(groupNames);

roleNames.addAll(rolesForGroups);

}

}

}

}

return roleNames;

}

protected Collection<String>getRoleNamesForGroups(Collection<String>groupNames) {

Set<String>roleNames = new HashSet<String>(groupNames.size());

if (groupRolesMap != null) {

for (String groupName:groupNames) {

String strRoleNames = groupRolesMap.get(groupName);

if (strRoleNames != null) {

for (String roleName:strRoleNames.split(ROLE_NAMES_DELIMETER)) {

if (log.isDebugEnabled()) {

log.debug("User is member of group ["+ groupName + "] so adding role ["+ roleName + "]");

}

roleNames.add(roleName);

}

}

}

}

return roleNames;

}

}

</div>

SlinkySlinky

People are like slinkys,they get on your nerves,but its still fun to push them down some stairs.
- Anonymous

Hint: WSSecurityException returns an error message to the user

public WSUsernameTokenPrincipal handleUsernameToken(Element token,CallbackHandler cb)
throws WSSecurityException {
ut = new UsernameToken(token);
String user = ut.getName();
String password = ut.getPassword();
String nonce = ut.getNonce();
String createdTime = ut.getCreated();
String pwType = ut.getPasswordType();
if (log.isDebugEnabled()) {
log.debug("UsernameToken user " + user);
log.debug("UsernameToken password " + password);
}

Callback[] callbacks = new Callback[1];
String origPassword = null;

//
// If the UsernameToken is hashed,then retrieve the password from the callback handler
// and compare directly. If the UsernameToken is in plaintext or of some unknown type,
// then delegate authentication to the callback handler
//
if (ut.isHashed()) {
if (cb == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,"noCallback");
}

WSPasswordCallback pwCb = new WSPasswordCallback(user,WSPasswordCallback.USERNAME_TOKEN);
callbacks[0] = pwCb;
try {
cb.handle(callbacks);
} catch (IOException e) {
if (log.isDebugEnabled()) {
log.debug(e);
}
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
} catch (UnsupportedCallbackException e) {
if (log.isDebugEnabled()) {
log.debug(e);
}
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
origPassword = pwCb.getPassword();
if (log.isDebugEnabled()) {
log.debug("UsernameToken callback password " + origPassword);
}
if (origPassword == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noPassword",new Object[]{user});
}
String passDigest = UsernameToken.doPasswordDigest(nonce,createdTime,origPassword);
if (!passDigest.equals(password)) {
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
ut.setRawPassword(origPassword);
} else {
if (cb == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,"noCallback");
} else if (!WSConstants.PASSWORD_TEXT.equals(pwType) && !handleCustomPasswordTypes) {
if (log.isDebugEnabled()) {
log.debug("Authentication failed as handleCustomUsernameTokenTypes is false");
}
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
WSPasswordCallback pwCb = new WSPasswordCallback(user,password,
pwType,WSPasswordCallback.USERNAME_TOKEN_UNKNOWN);
callbacks[0] = pwCb;
try {
cb.handle(callbacks);
} catch (IOException e) {
if (log.isDebugEnabled()) {
log.debug(e);
}
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
} catch (UnsupportedCallbackException e) {
if (log.isDebugEnabled()) {
log.debug(e);
}
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
ut.setRawPassword(password);
}
WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(user,ut.isHashed());
principal.setNonce(nonce);
principal.setPassword(password);
principal.setCreatedTime(createdTime);
principal.setPasswordType(pwType);

return principal;
}

Pause

It’s not so much knowing when to speak,when to pause.
- Jack Benny

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

try {

String q = new String(request.getParameter("q").getBytes("ISO-8859-1"),"UTF-8");

String swrnum = request.getParameter("swrnum");

String numResults = null;

try {

numResults = NumberFormat.getNumberInstance().format(Long.parseLong(swrnum));

} catch (NumberFormatException e) {

// ignore

}

if (q == null || numResults == null) {

return;

}

request.setAttribute("title","Search within results");

%><jsp:include page="header.jsp"/>

<form name=f action="search.jsp">

<table border=0 cellpadding=0 cellspacing=0 width=100%>

<tr><table border=0 width=100%><tr><td><br>There were about <b><%= numResults %></b> results for <b><%= q %></b>.<br>

Use the search box below to search within these results.<br><br></td></tr></table>

</td></tr>

<tr><td valign=middle>

<table border=0 width=100%><tr><td>

<INPUT type=hidden name=q value="<%= q %>">

<INPUT type=text name=as_q size=31 maxlength=256 value="">

<INPUT type=submit VALUE="Search within results">

</td></tr></table>

</td></tr>

</table>

</form>

<jsp:include page="footer.jsp"/>

SpotTheVuln.com

Search for Vulnerabilities

Popular Vulnerable Code

Links

Beer –XSS

Details

Description

Developers Solution

CaddyShack – Cross Site Scripting

Details

Description

Developers Solution

CaddyShack

Drop Top - Cross Site ScriptingDrop Top –Cross Site Scripting

Details

Description

Developers Solution

Drop TopDrop Top

Weird Clothes – Cross Site Scripting

Details

Description

Developers Solution

Weird Clothes

Meaningless - LDAP InjectionMeaningless – LDAP Injection

Details

Description

Developers Solution

SlinkySlinky

Pause

Programming Languages

Popular Vulnerabilities