Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-5670

Escaping is incorrect on /share/service/components/form/control-wrapper

    Details

      Description

      When security testing with the CSRF protection disabled Burp Suite Pro detects reflected XSS with the form /share/service/components/form/control-wrapper this indicates the escaping of reflected content on this page is incorrect.

      Burp Suite reports the displayMode JSON parameter, the name parameter, and the value parameters are susceptible to reflected XSS, the default CSRF proof of code for the name parameter is below. They all do look exploitable but I only demonstrated it on the "name" parameter.

      With CSRF protection enabled the issue is not obviously exploitable without another hack to obtain a CSRF token (when worse things can probably be done) hence the low security rating assigned.

      At this time I haven't looked for other methods of exploitation which might make this error more important.

      To reproduce, use a browser with no XSS auditor or auditor disabled.
      Disable CSRF protection in Alfresco.
      Adjust the code below for your Alfresco share server, open file and submit the form request.

      <html>
      <!-- CSRF PoC - generated by Burp Suite Professional -->
      <body>
      <form action="http://192.168.56.103:8080/share/service/components/form/control-wrapper" method="POST">
      <input type="hidden" name="htmlid" value="alf-id0" />
      <input type="hidden" name="type" value="association" />
      <input type="hidden" name="name" value="payloadnzmia"><script>alert(1)</script>rn78f" />
      <input type="hidden" name="label" value="Source Items" />
      <input type="hidden" name="value" value="" />
      <input type="hidden" name="controlParams" value="{"displayMode":"list","multipleSelectMode":true}" />
      <input type="hidden" name="field" value="{}" />
      <input type="submit" value="Submit request" />
      </form>
      </body>
      </html>

        Attachments

          Structure

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                simonwaters Simon Waters
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h

                    Structure Helper Panel