Popular Vulnerable Code

Beer –XSS

Details

Affected Software:OpenFire

Fixed in Version:3.7.0b

Issue Type:XSS

Original Code: Found Here

Description

This week’s bug was an XSS vulnerability caused by the improper escaping of an HTML attribute.  It’s obvious that the developers attempted to protect their software from XSS vulnerabilities.  They even wrote their own XSS sanitizing method (escapeHTMLTags).  The escapeHTMLTags() method is simple,strip out <and >characters and return the string.  Unfortunately,this simple pattern isn’t sufficient in defending against all XSS vulnerabilities.  There is a bit of tracing that is required to understand this bug,so let’s start the tracing.  The bug begins with the following variable assignment:

String username = ParamUtils.getParameter(request,“username”);

The username value is assigned directly from the HTTP request.  Later,the username variable is escaped using the custom escapeHTMLTags() function.  The escaping occurs in the following line:

username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);

Later in the code,the escaped username value is used in the markup as part of an HTML attribute.  The vulnerable line is presented below:

<input size=”15″maxlength=”50″value=”<%= (username != null ? username:“”) %>”>

The line above checks to see if the username variable has been assigned a value.  If the username variable contains a value,it is displayed in the markup as the value attribute for an input field.  While sanitizing the <and >characters would prevent an attacker closing the input field and starting a new html tag,it doesn’t prevent an attacker from closing off the attribute value and injecting a new HTML attribute for the input field.  Some consider injection into a input field to be unexploitable (or limited to certain browsers),check out Gareth Heyes blog post about exploiting text fields with new HTML5 events http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/

Developers Solution

  public static String escapeHTMLTags(String in){ if (in == null){ return null; }  char ch; int i = 0; int last = 0; char[] input = in.toCharArray(); int len = input.length; StringBuilder out = new StringBuilder((int)(len * 1.3)); for (;i <len;i++){ ch = input[i]; if (ch >'>'){ }  else if (ch == '<'){if (i >last){out.append(input,last,i - last);} last = i + 1;out.append(LT_ENCODE); }  else if (ch == '>'){if (i >last){out.append(input,last,i - last);} last = i + 1;out.append(GT_ENCODE); }  else if (ch == '\n'){if (i >last){out.append(input,last,i - last);} last = i + 1;out.append("<br>"); }  }  if (last == 0){ return in; }  if (i >last){ out.append(input,last,i - last); }  return out.toString(); }... <snip>...<% // get parameters  String username = ParamUtils.getParameter(request,"username"); String password = ParamUtils.getParameter(request,"password"); String url = ParamUtils.getParameter(request,"url"); url = org.jivesoftware.util.StringUtils.escapeHTMLTags(url); // SSO between cluster nodes  String secret = ParamUtils.getParameter(request,"secret"); String nodeID = ParamUtils.getParameter(request,"nodeID"); String nonce = ParamUtils.getParameter(request,"nonce"); // The user auth token: AuthToken authToken = null; // Check the request/response for a login token  Map<String,String>errors = new HashMap<String,String>(); if (ParamUtils.getBooleanParameter(request,"login")){ String loginUsername = username; if (loginUsername != null){ loginUsername = JID.escapeNode(loginUsername); }  try{ if (secret != null &&nodeID != null){if (StringUtils.hash(AdminConsolePlugin.secret).equals(secret) &&ClusterManager.isClusterMember(Base64.decode(nodeID,Base64.URL_SAFE))){authToken = new AuthToken(loginUsername);} else if ("clearspace".equals(nodeID) &&ClearspaceManager.isEnabled()){ClearspaceManager csmanager = ClearspaceManager.getInstance();String sharedSecret = csmanager.getSharedSecret();if (nonce == null || sharedSecret == null || !csmanager.isValidNonce(nonce) ||   !StringUtils.hash(loginUsername + ":"+ sharedSecret + ":"+ nonce).equals(secret)){throw new UnauthorizedException("SSO failed. Invalid secret was provided");} authToken = new AuthToken(loginUsername);} else{throw new UnauthorizedException("SSO failed. Invalid secret or node ID was provided");}  }  else{// Check that a username was provided before trying to verify credentials if (loginUsername != null){if (LoginLimitManager.getInstance().hasHitConnectionLimit(loginUsername,request.getRemoteAddr())){throw new UnauthorizedException("User '"+ loginUsername +"' or address '"+ request.getRemoteAddr() + "' has his login attempt limit.");} if (!AdminManager.getInstance().isUserAdmin(loginUsername,true)){throw new UnauthorizedException("User '"+ loginUsername + "' not allowed to login.");} authToken = AuthFactory.authenticate(loginUsername,password);} else{errors.put("unauthorized",LocaleUtils.getLocalizedString("login.failed.unauthorized"));}  }... <snip>...  // Escape HTML tags in username to prevent cross-site scripting attacks. This  // is necessary because we display the username in the page below.  username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title><%= AdminConsole.getAppName() %><fmt:message key="login.title"/></title><script language="JavaScript"type="text/javascript"><!--// break out of framesif (self.parent.frames.length != 0){self.parent.location=document.location}  function updateFields(el){ if (el.checked){document.loginForm.username.disabled = true;document.loginForm.password.disabled = true; }  else{document.loginForm.username.disabled = false;document.loginForm.password.disabled = false;document.loginForm.username.focus(); }  }//--></script> <link rel="stylesheet"href="style/global.css"type="text/css"> <link rel="stylesheet"href="style/login.css"type="text/css"></head><body><form action="login.jsp"name="loginForm"method="post"><% if (url != null){try{%> <input type="hidden"name="url"value="<%= url %>"><% } catch (Exception e){Log.error(e);} } %><input type="hidden"name="login"value="true"><div align="center"> <!-- BEGIN login box --> <div id="jive-loginBox"> <div align="center"id="jive-loginTable"> <span id="jive-login-header"style="background:transparent url(images/login_logo.gif) no-repeat left;padding:29px 0 10px 205px;"> <fmt:message key="admin.console"/> </span> <div style="text-align:center;width:380px;"> <table cellpadding="0"cellspacing="0"border="0"align="center"><tr><td align="right"class="loginFormTable"><table cellpadding="2"cellspacing="0"border="0"><noscript>  <tr>  <td colspan="3">  <table cellpadding="0"cellspacing="0"border="0">  <tr valign="top"> <td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td> <td><div class="jive-error-text"style="padding-left:5px;color:#cc0000;"><fmt:message key="login.error"/></div></td>  </tr>  </table>  </td>  </tr></noscript><% if (errors.size() >0){%>  <tr>  <td colspan="3">  <table cellpadding="0"cellspacing="0"border="0"> <% for (String error:errors.values()){%>  <tr valign="top"> <td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td> <td><div class="jive-error-text"style="padding-left:5px;color:#cc0000;"><%= error%></div></td>  </tr> <% } %>  </table>  </td>  </tr><% } %><tr>+   <td><input type="text"name="username"size="15"maxlength="50"id="u01"value="<%= (username != null ? StringUtils.removeXSSCharacters(username):"") %>"></td>-   <td><input type="text"name="username"size="15"maxlength="50"id="u01"value="<%= (username != null ? username:"") %>"></td>  <td><input type="password"name="password"size="15"maxlength="50"id="p01"></td>  <td align="center"><input type="submit"value="&nbsp;<fmt:message key="login.login"/>&nbsp;"></td></tr><tr valign="top">  <td class="jive-login-label"><label for="u01"><fmt:message key="login.username"/></label></td>  <td class="jive-login-label"><label for="p01"><fmt:message key="login.password"/></label></td>  <td>&nbsp;</td></tr></table></td></tr><tr><td align="right"><div align="right"id="jive-loginVersion"><%= AdminConsole.getAppName() %>,<fmt:message key="login.version"/>:<%= AdminConsole.getVersionString() %></div></td></tr> </table> </div> </div> </div> <!-- END login box --></div></form><script language="JavaScript"type="text/javascript"><!--  if (document.loginForm.username.value == ''){ document.loginForm.username.focus(); } else{ document.loginForm.password.focus(); }//--></script></body></html>
October 15th,2010 | Tags:,,,,,,,,,, | Category:Cross-Site Scripting (XSS),Java,Openfire,Solution | One comment

CaddyShack – Cross Site Scripting

Details

Affected Software:WebChat Module for Jive

Fixed in Version:August of 2008

Issue Type:Cross Site Scripting

Original Code: Found Here

Description

This week’s vulnerability affected a webchat module created by Jive Software.  The bug is straightforward,  the JSP code takes an attacker controlled value and uses it to build dynamic HTML.  Although the bug is straightforward,this week’s example was a great/simple exercise in identifying a vulnerable pattern and tracing to find other vulnerable patterns in the code.  This week’s sample has three separate vulnerabilities that were all addressed via single patch.  All these have similar symptoms/patterns (although the specifics are a bit different).  Identifying vulnerable patterns and searching for these patterns in other places in code is an essential skill for security code auditors.  Did you find all three bugs that were patched?

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 public class FormUtils {

private FormUtils() {
}

public static String createAnswers(FormField formField,HttpServletRequest request) {
final StringBuffer builder = new StringBuffer();
if (formField.getType().equals(FormField.TYPE_TEXT_SINGLE)) {
String cookieValue = getCookieValueForField(formField.getVariable(),request);
String insertValue = "";
if(ModelUtil.hasLength(cookieValue)){
insertValue = "value=\""+cookieValue+"\"";
}
- builder.append("<input type=\"text\"name=\""+ formField.getVariable() + "\""+insertValue+"style=\"width:75%\">");
+builder.append("<input type=\"text\"name=\""+ formField.getVariable() + "\""+StringUtils.escapeHTMLTags(insertValue)+"style=\"width:75%\">");
}
else if (formField.getType().equals(FormField.TYPE_TEXT_MULTI)) {
builder.append("<textarea name=\""+ formField.getVariable() + "\"cols=\"30\"rows=\"3\">");
builder.append("</textarea>");
}
else if (formField.getType().equals(FormField.TYPE_LIST_SINGLE)) {
builder.append("<select name=\""+ formField.getVariable() + "\">");
Iterator iter = formField.getOptions();
String cookieValue = ModelUtil.emptyStringIfNull(getCookieValueForField(formField.getVariable(),request));
while (iter.hasNext()) {
FormField.Option option = (FormField.Option)iter.next();
String selected = option.getValue().equals(cookieValue) ? "selected":"";
- builder.append("<option value=\""+ option.getValue() + "\""+selected+">"+ option.getLabel() + "</option>");
+builder.append("<option value=\""+ StringUtils.escapeHTMLTags(option.getValue()) + "\""+selected+">"+ option.getLabel() + "</option>");
}
builder.append("</select>");
}
else if (formField.getType().equals(FormField.TYPE_BOOLEAN)) {
Iterator iter = formField.getOptions();
int counter = 0;
while (iter.hasNext()) {
FormField.Option option = (FormField.Option)iter.next();
String value = option.getLabel();
builder.append("<input type=\"checkbox\"value=\""+ value + "\"name=\""+ formField.getVariable() + counter + "\">");
builder.append("&nbsp;");
-builder.append(value);
+builder.append(StringUtils.escapeHTMLTags(value));
builder.append("<br/>");
counter++;
}
}
August 20th,2010 | Tags:,,,,, | Category:Cross-Site Scripting (XSS),Java,Openfire,Solution | Leave a comment

Drop Top - Cross Site ScriptingDrop Top –Cross Site Scripting

Details

Affected Software:Openfire by Ignite Realtime

Fixed in Version:3.6.1

Issue Type:XSS

Original Code: Found Here

Description

This is a straightforward XSS bug that affecting the Admin Console of OpenFire by Ignite Realtime/Jive software.  The code fix is simple,encode a tainted URL variable before using it in markup.  The URL variable is assigned an attacker controlled value here:

String url = ParamUtils.getParameter(request,“url”);

And is later used in the HTML markup here:

<input value=”<%= url %>”>

The one line fix is to encode the URL parameter,which was done here:

url = org.jivesoftware.util.StringUtils.escapeHTMLTags(url);

Looking through the code,we see that OpenFire had previously fixed an XSS vulnerability just a few lines above in the USERNAME variable.  There is even comment indicating so!  It surprising that the Ignite Realtime/Jive developers missed this one as it is literally two lines below the previous fix.

String username = ParamUtils.getParameter(request,“username”);

if (username != null){

username = JID.escapeNode(username);

}

// Escape HTML tags in username to prevent cross-site scripting attacks. This

// is necessary because we display the username in the page below.

username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);

String password = ParamUtils.getParameter(request,“password”);

String url = ParamUtils.getParameter(request,“url”);

The assignment of the PASSWORD variable is interesting :)

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
<%!

static String go(String url) {

if (url == null) {

return "index.jsp";

}

else {

return url;

}

}

%>

<%-- Check if in setup mode --%>

<%

if (admin.isSetupMode()) {

response.sendRedirect("setup/index.jsp");

return;

}

%>

<% // get parameters

String username = ParamUtils.getParameter(request,"username");

if (username != null) {

username = JID.escapeNode(username);

}

// Escape HTML tags in username to prevent cross-site scripting attacks. This

// is necessary because we display the username in the page below.

username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);

String password = ParamUtils.getParameter(request,"password");

String url = ParamUtils.getParameter(request,"url");

+   url = org.jivesoftware.util.StringUtils.escapeHTMLTags(url);

// SSO between cluster nodes

String secret = ParamUtils.getParameter(request,"secret");

String nodeID = ParamUtils.getParameter(request,"nodeID");

String nonce = ParamUtils.getParameter(request,"nonce");

// The user auth token:

AuthToken authToken;

... SNIP ...

<html>

<head>

<title><%= AdminConsole.getAppName() %><fmt:message key="login.title"/></title>

<script language="JavaScript">

<!--

// break out of frames

if (self.parent.frames.length != 0) {

self.parent.location=document.location;

}

function updateFields(el) {

if (el.checked) {

document.loginForm.username.disabled = true;

document.loginForm.password.disabled = true;

}

else {

document.loginForm.username.disabled = false;

document.loginForm.password.disabled = false;

document.loginForm.username.focus();

}

}

//-->

</script>

<link rel="stylesheet"href="style/global.css"type="text/css">

<link rel="stylesheet"href="style/login.css"type="text/css">

</head>

<body>

<form action="login.jsp"name="loginForm"method="post">

<%  if (url != null) { try { %>

<input type="hidden"value="<%= url %>">

<%  } catch (Exception e) { Log.error(e);} } %>

<input value="true">

<div align="center">

<!-- BEGIN login box -->

<div id="jive-loginBox">

<div align="center">

<span id="jive-login-header"style="background:transparent url(images/login_logo.gif) no-repeat left;padding:29px 0 10px 205px;">

<fmt:message key="admin.console"/>

</span>

<div style="text-align:center;width:380px;">

<table cellpadding="0"cellspacing="0"border="0"align="center">

<tr>

<td align="right">

<table cellpadding="2"cellspacing="0"border="0">

<noscript>

<tr>

<td colspan="3">

<table cellpadding="0"cellspacing="0"border="0">

<tr valign="top">

<td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td>

<td><div style="padding-left:5px;color:#cc0000;"><fmt:message key="login.error"/></div></td>

</tr>

</table>

</td>

</tr>

</noscript>

<%  if (errors.size() >0) { %>

<tr>

<td colspan="3">

<table cellpadding="0"cellspacing="0"border="0">

<% for (String error:errors.values()) { %>

<tr valign="top">

<td><img src="images/error-16x16.gif"width="16"height="16"border="0"alt=""vspace="2"></td>

<td><div style="padding-left:5px;color:#cc0000;"><%= error%></div></td>

</tr>

<% } %>

</table>

</td>

</tr>

<%  } %>

<tr>

<td><input size="15"maxlength="50"value="<%= (username != null ? username:"") %>"></td>

<td><input size="15"maxlength="50"></td>

<td align="center"><input value="&nbsp;<fmt:message key="login.login"/>&nbsp;"></td>

</tr>

<tr valign="top">

<td><label for="u01"><fmt:message key="login.username"/></label></td>

<td><label for="p01"><fmt:message key="login.password"/></label></td>

<td>&nbsp;</td>

</tr>

</table>

</td>

</tr>

<tr>

<td align="right">

<div align="right">

<%= AdminConsole.getAppName() %>,<fmt:message key="login.version"/>:<%= AdminConsole.getVersionString() %>

</div>

</td>

</tr>

</table>

</div>

</div>

</div>

<!-- END login box -->

</div>

</form>

<script type="text/javascript">

<!--

if (document.loginForm.username.value == '')  {

document.loginForm.username.focus();

} else {

document.loginForm.password.focus();

}

//-->

</script>

</body>

</html>
July 16th,2010 | Tags:,,,,,,,,,,,,,,,,,,, | Category:Cross-Site Scripting (XSS),Java,Openfire,Solution | Leave a comment

Weird Clothes – Cross Site Scripting

Details

Affected Software:Openfire by Ignite Realtime

Fixed in Version:3.6.3

Issue Type:XSS

Original Code: Found Here

Description

XSS bug in Openfire by Ignite Realtime.  Openfire is an Open Source,real time collaboration server.  The bug is very straightforward and a simple string like the one presented below takes advantage of the vulnerability.

http://www.example.com/group-summary.jsp?search=%22%3E%3C[xss]

This bug was actually part of a number of security bugs reported by Core Security Technologies.  You can read their advisory here.

The patch simply HTML encodes the tainted search parameter…

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<%  // Get parameters
int start = ParamUtils.getIntParameter(request,"start",0);
int range = ParamUtils.getIntParameter(request,"range",webManager.getRowsPerPage("group-summary", 15));

if (request.getParameter("range") != null) {
webManager.setRowsPerPage("group-summary", range);
}

int groupCount = webManager.getGroupManager().getGroupCount();
Collection<Group> groups = webManager.getGroupManager().getGroups(start, range);

String search = null;
if (webManager.getGroupManager().isSearchSupported() && request.getParameter("search") != null
&& !request.getParameter("search").trim().equals(""))
{
search = request.getParameter("search");
+    // Santize variables to prevent vulnerabilities
+    search = StringUtils.escapeHTMLTags(search);

// Use the search terms to get the list of groups and group count.
groups = webManager.getGroupManager().search(search, start, range);
// Get the count as a search for *all* groups. That will let us do pagination even
// though it's a bummer to execute the search twice.
groupCount = webManager.getGroupManager().search(search).size();
}

// paginator vars
int numPages = (int)Math.ceil((double)groupCount/(double)range);
int curPage = (start/range) + 1;
%>

<%  if (request.getParameter("deletesuccess") != null) { %>

<div class="jive-success">
<table cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr><td class="jive-icon"><img src="images/success-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="group.summary.delete_group" />
</td></tr>
</tbody>
</table>
</div><br>

<%  } %>

<% if (webManager.getGroupManager().isSearchSupported()) { %>

<form action="group-summary.jsp" method="get" name="searchForm">
<table border="0" width="100%" cellpadding="0" cellspacing="0">
<tr>
<td valign="bottom">
<fmt:message key="group.summary.total_group" /> <b><%= groupCount %></b>
<%  if (numPages > 1) { %>

, <fmt:message key="global.showing" /> <%= LocaleUtils.getLocalizedNumber(start+1) %>-<%= LocaleUtils.getLocalizedNumberstartrange > groupCount ? groupCount:start+range) %>

<%  } %>
</td>
<td align="right" valign="bottom">
<fmt:message key="group.summary.search" />: <input type="text" size="30" maxlength="150" name="search" value="<%= ((search!=null) ? search : "") %>">
</td>
</tr>
</table>
</form>

<script language="JavaScript" type="text/javascript">
document.searchForm.search.focus();
</script>

<% }
// Otherwise, searching is not supported.
else {
%>
<p>
<fmt:message key="group.summary.total_group" /> <b><%= groupCount %></b>
<%  if (numPages > 1) { %>

, <fmt:message key="global.showing" /> <%= (start+1) %>-<%= (start+range) %>

<%  } %>
</p>
<% } %>

<%  if (numPages > 1) { %>

<p>
<fmt:message key="global.pages" />
[
<%  for (int i=0; i<numPages; i++) {
String sep = ((i+1)<numPages) ? " " : "";
boolean isCurrent = (i+1) == curPage;
%>
<a href="group-summary.jsp?start=<%= (i*range) %><%= search!=null? "&search=" + URLEncoder.encode(search, "UTF-8") : ""%>"
class="<%= ((isCurrent) ? "jive-current" : "") %>"
><%= (i+1) %></a><%= sep %>

<%  } %>
]
</p>
July 9th,2010 | Tags:,,,,,, | Category:Cross-Site Scripting (XSS),Java,Openfire,Solution | Leave a comment

Renting - Cross Site ScriptingRenting – Cross Site Scripting

Details

Affected Software:FastPath Plugin for OpenFire

Fixed in Version: 3.5.3

Issue Type:Cross Site Scripting (XSS)

Original Code: Found Here

Description

This weeks’ bug consisted of vulnerabilities in the FastPath plugin for OpenFire.  The FastPath plugin adds support for queued chat requests,much like those chat queues found on support websites across the internet.  Several code changes were made with this change list.  The first set of changes simply cleans up the imports used by the page and has no significant security impact.

The second set of changes we see URL encode user/attacker controlled items placed in a HTTP Redirect.  Although the security fix was labeled as “XSS fixes”,this particular change was likely to prevent CRLF injection into the location header for the JSP redirect (which could ultimately lead to XSS… ).

The remainder of the code fixes simply encodes HTML output before redisplaying it back to the user,defeating the classic XSS attack.

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
-<%@ page import="org.jivesoftware.smack.util.StringUtils"%>
-<%@ page import="org.jivesoftware.webchat.util.ParamUtils,java.util.*"%>
+<%@ page import="java.util.*"%>
<%@ page import="org.jivesoftware.webchat.actions.WorkgroupStatus"%>
+<%@ page import="org.jivesoftware.webchat.util.*"%>
<!-- Get and Set Workgroup -->
<jsp:useBean />
<jsp:setProperty property="*"/>
<%
boolean authFailed = ParamUtils.getParameter(request,"authFailed") != null;

String location = (String)session.getAttribute("pageLocation");
if (chatUser.hasSession()) {
chatUser.removeSession();
}

String workgroup = chatUser.getWorkgroup();
String chatID = chatUser.getChatID();
if (chatID == null) {
chatID = StringUtils.randomString(10);
}

Workgroup chatWorkgroup = WorkgroupStatus.getWorkgroup(workgroup);
if (!chatWorkgroup.isAvailable()) {
-       response.sendRedirect("email/leave-a-message.jsp?workgroup="+ workgroup);
+ response.sendRedirect("email/leave-a-message.jsp?workgroup="+ StringUtils.URLEncode(workgroup,"utf-8"));
return;
}

...<SNIP>...

<html>
<head>
<title>Information </title>

<link rel="stylesheet"

href="style.jsp?workgroup=<%= workgroup %>"/><script src="common.js">//Ignore</script>
</head>
<body style="margin-top:0px;margin-bottom:20px;margin-right:20px;margin-left:20px">
<table width="100%"cellpadding="3"cellspacing="2">
<tr><td colspan="2"height="1%">
<img src="getimage?image=logo&workgroup=<%= workgroup %>"/>
</td>
</tr>
<form action="queue.jsp"method="post">
<!-- Identify all hidden variables. All variables will be passed to the metadata router.
You can do any name-value pairing you like. Such as product=Jive Live Assistant. Such
data can be used to effectivly route to a particular queue within a workgroup.
-->
-       <input value="<%= workgroup %>"/>
-       <input value="<%= chatID %>"/>
+       <input type="hidden"name="workgroup"value="<%= StringUtils.escapeHTMLTags(workgroup) %>"/>
+       <input type="hidden"name="chatID"value="<%= StringUtils.escapeHTMLTags(chatID) %>"/>
<!-- End of Hidden Variable identifiers -->
<tr>
<td colspan="2"height="1%">
<br/><%=  welcomeText %>
</td>
</tr>
<tr>
<td height="1%">
<br/>
</td>
</tr>

<% if (authFailed) { %>
<tr valign="top">
<td colspan="2"height="1%"nowrap><span>Authentication Failed</span></td>
</tr>
<% } %>

<%
Iterator fields = workgroupForm.getFields();
while(fields.hasNext()){
hasElements = true;
FormField field = (FormField)fields.next();
String label = field.getLabel();
boolean required = field.isRequired();
String requiredStr = required ? "&nbsp;<span class=\"error\">*</span>":"";
if(!field.getType().equals(FormField.TYPE_HIDDEN)){
%>
<tr valign="top">
<td height="1%"width="1%"nowrap><%= label%><%= requiredStr%></td><td><%= FormUtils.createAnswers

(field,request)%></td>
</tr>
<% } } %>

<tr valign="top">
<td height="1%">
<!-- All workgroup defined variables -->
<%
fields = workgroupForm.getFields();
while(fields.hasNext()){
FormField field = (FormField)fields.next();
if(field.getType().equals(FormField.TYPE_HIDDEN)){
%>
<%= FormUtils.createDynamicField(field,request)%>
<% }} %>
<!-- End of Defined Variables -->

<% // Handle page location
if(location != null){ %>
-                    <input value="<%= location%>"/>
+       <input type="hidden"name="location"value="<%= StringUtils.escapeHTMLTags(location)%>"/>
<% } %>
</td>
<td><input value="<%= startButton%>"/></td>
</tr>
<tr>

</tr>
</form>
</table>
-<div style="position:absolute;bottom:0px;right:5px"><img src="getimage?image=poweredby&workgroup=<%= workgroup %>"/></div>
+<div style="position:absolute;bottom:0px;right:5px"><img src="getimage?image=poweredby&workgroup=<%=

StringUtils.URLEncode(workgroup,"utf-8") %>"/></div>
</body>
<%if(!hasElements){ %>
<script>
document.f.submit();
</script>
<%}%>
</html>
June 18th,2010 | Category:Cross-Site Scripting (XSS),Openfire,PHP,Solution | Leave a comment