Enterprise 3.x
  1. Enterprise 3.x
  2. ETHREEOH-1138

Script error appears after configuring Alfresco RSS Feed with XSS URL

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 3.0 SP1
    • Fix Version/s: 3.1 SP1
    • Component/s: Share
    • Security Level: external (External user)
    • Labels:
      None
    • Environment:
      Alfresco 3.0 SP1 build 295
      RHEL 5.2, Tomcat 5.5.26, PostgreSQL 8.3.5, JDK 6u7

      Description

      Steps to reproduce:
      1. Log in to Share client;
      2. Click on "Configure" link on "Alfresco Global Feed" dashlet;
      3. Enter into "URL" field the next XSS string (http:// <IMG """><SCRIPT>alert("test")</SCRIPT>">)
      4. Press "Ok" button -> pop-up window doesn't close;
      5. press "Cancel" button and refresh the page -> instead if the "RSS Feed" dashlet the following script error appears:

      The Web Script /share/service/components/dashlets/rssfeed has responded with a status of 500 - Internal Error.
      500 Description: An error inside the HTTP server which prevented it from fulfilling the request.
       
      Message: Failed to load script '/org/alfresco/components/dashlets/rssfeed.get.js (in classpath store file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts)': Wrapped java.lang.IllegalArgumentException: Invalid uri 'http://&lt;IMG """><SCRIPT>alert("test")</SCRIPT>">': Invalid authority (file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js#25)
         
      Exception: java.lang.IllegalArgumentException - Invalid uri 'http://&lt;IMG """><SCRIPT>alert("test")</SCRIPT>">': Invalid authority
         
       org.apache.commons.httpclient.HttpMethodBase.(HttpMethodBase.java:222)
       org.apache.commons.httpclient.methods.GetMethod.(GetMethod.java:89)
       org.alfresco.connector.RemoteClient.service(RemoteClient.java:523)
       org.alfresco.connector.RemoteClient.service(RemoteClient.java:475)
       org.alfresco.connector.RemoteClient.call(RemoteClient.java:295)
       org.alfresco.connector.RemoteClient.call(RemoteClient.java:229)
       org.alfresco.connector.HttpConnector.call(HttpConnector.java:79)
       org.alfresco.connector.AbstractConnector.call(AbstractConnector.java:73)
       org.alfresco.web.scripts.ScriptRemoteConnector.call(ScriptRemoteConnector.java:69)
       sun.reflect.GeneratedMethodAccessor89.invoke(Unknown Source)
       sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       java.lang.reflect.Method.invoke(Method.java:597)
       org.mozilla.javascript.MemberBox.invoke(MemberBox.java:155)
       org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:243)
       org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:66)
       org.mozilla.javascript.gen.c10._c1(file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js:25)
       org.mozilla.javascript.gen.c10.call(file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js)
       org.mozilla.javascript.optimizer.OptRuntime.callName(OptRuntime.java:97)
       org.mozilla.javascript.gen.c10._c0(file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js:164)
       org.mozilla.javascript.gen.c10.call(file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js)
       org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:393)
       org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:2834)
       org.mozilla.javascript.gen.c10.call(file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js)
       org.mozilla.javascript.gen.c10.exec(file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js)
       org.alfresco.web.scripts.PresentationScriptProcessor.executeScriptImpl(PresentationScriptProcessor.java:256)
       org.alfresco.web.scripts.PresentationScriptProcessor.executeScript(PresentationScriptProcessor.java:148)
       org.alfresco.web.scripts.AbstractWebScript.executeScript(AbstractWebScript.java:791)
       org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:90)
       org.alfresco.web.scripts.PresentationContainer.executeScript(PresentationContainer.java:60)
       org.alfresco.web.scripts.LocalWebScriptRuntimeContainer.executeScript(LocalWebScriptRuntimeContainer.java:182)
       org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:260)
       org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:139)
       org.alfresco.web.scripts.WebScriptRenderer.execute(WebScriptRenderer.java:274)
       org.alfresco.web.site.RenderUtil.renderComponent(RenderUtil.java:463)
       org.alfresco.web.site.PresentationUtil.renderComponent(PresentationUtil.java:202)
       org.alfresco.web.site.taglib.ComponentTag.doStartTag(ComponentTag.java:100)
       org.alfresco.tools.TagUtil.execute(TagUtil.java:143)
       org.alfresco.tools.TagUtil.execute(TagUtil.java:79)
       org.alfresco.web.scripts.FreemarkerTagSupportDirective.executeTag(FreemarkerTagSupportDirective.java:95)
       org.alfresco.web.scripts.FreemarkerTagSupportDirective.executeTag(FreemarkerTagSupportDirective.java:73)
       org.alfresco.web.scripts.ComponentFreemarkerTagDirective.execute(ComponentFreemarkerTagDirective.java:118)
       freemarker.core.Environment.visit(Environment.java:261)
       freemarker.core.UnifiedCall.accept(UnifiedCall.java:126)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.MixedContent.accept(MixedContent.java:92)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.Environment.process(Environment.java:188)
       freemarker.template.Template.process(Template.java:237)
       org.alfresco.web.scripts.PresentationTemplateProcessor.process(PresentationTemplateProcessor.java:146)
       org.alfresco.web.scripts.FreemarkerRenderer.execute(FreemarkerRenderer.java:220)
       org.alfresco.web.site.RenderUtil.executeRenderer(RenderUtil.java:877)
       org.alfresco.web.site.RenderUtil.executeRenderer(RenderUtil.java:854)
       org.alfresco.web.site.RenderUtil.renderRegion(RenderUtil.java:374)
       org.alfresco.web.site.PresentationUtil.renderRegion(PresentationUtil.java:164)
       org.alfresco.web.site.taglib.RegionTag.doStartTag(RegionTag.java:113)
       org.alfresco.tools.TagUtil.execute(TagUtil.java:143)
       org.alfresco.tools.TagUtil.execute(TagUtil.java:79)
       org.alfresco.web.scripts.FreemarkerTagSupportDirective.executeTag(FreemarkerTagSupportDirective.java:95)
       org.alfresco.web.scripts.RegionFreemarkerTagDirective.execute(RegionFreemarkerTagDirective.java:128)
       freemarker.core.Environment.visit(Environment.java:261)
       freemarker.core.UnifiedCall.accept(UnifiedCall.java:126)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.IteratorBlock$Context.runLoop(IteratorBlock.java:179)
       freemarker.core.Environment.visit(Environment.java:415)
       freemarker.core.IteratorBlock.accept(IteratorBlock.java:102)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.MixedContent.accept(MixedContent.java:92)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.IteratorBlock$Context.runLoop(IteratorBlock.java:179)
       freemarker.core.Environment.visit(Environment.java:415)
       freemarker.core.IteratorBlock.accept(IteratorBlock.java:102)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.MixedContent.accept(MixedContent.java:92)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.Macro$Context.runMacro(Macro.java:164)
       freemarker.core.Environment.visit(Environment.java:601)
       freemarker.core.UnifiedCall.accept(UnifiedCall.java:106)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.IfBlock.accept(IfBlock.java:82)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.Macro$Context.runMacro(Macro.java:164)
       freemarker.core.Environment.visit(Environment.java:601)
       freemarker.core.UnifiedCall.accept(UnifiedCall.java:106)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.MixedContent.accept(MixedContent.java:92)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.Environment.visit(Environment.java:393)
       freemarker.core.BodyInstruction.accept(BodyInstruction.java:93)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.MixedContent.accept(MixedContent.java:92)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.Macro$Context.runMacro(Macro.java:164)
       freemarker.core.Environment.visit(Environment.java:601)
       freemarker.core.UnifiedCall.accept(UnifiedCall.java:106)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.MixedContent.accept(MixedContent.java:92)
       freemarker.core.Environment.visit(Environment.java:208)
       freemarker.core.Environment.process(Environment.java:188)
       freemarker.template.Template.process(Template.java:237)
       org.alfresco.web.scripts.PresentationTemplateProcessor.process(PresentationTemplateProcessor.java:146)
       org.alfresco.web.scripts.FreemarkerRenderer.execute(FreemarkerRenderer.java:220)
       org.alfresco.web.site.RenderUtil.renderTemplate(RenderUtil.java:266)
       org.alfresco.web.site.RenderUtil.renderPage(RenderUtil.java:170)
       org.alfresco.web.site.PresentationUtil.renderPage(PresentationUtil.java:88)
       org.alfresco.web.site.servlet.DispatcherServlet.dispatchPage(DispatcherServlet.java:459)
       org.alfresco.web.site.servlet.DispatcherServlet.dispatch(DispatcherServlet.java:360)
       org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:148)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
       org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
       org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
       org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
       org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
       org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
       org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
       org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
       org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
       org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
       org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
       org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
       org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
       java.lang.Thread.run(Thread.java:619)
         
      Exception: org.mozilla.javascript.WrappedException - Wrapped java.lang.IllegalArgumentException: Invalid uri 'http://&lt;IMG """><SCRIPT>alert("test")</SCRIPT>">': Invalid authority (file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js#25)
         
       org.mozilla.javascript.Context.throwAsScriptRuntimeEx(Context.java:1757)
         
      Exception: org.alfresco.web.scripts.WebScriptException - Wrapped java.lang.IllegalArgumentException: Invalid uri 'http://&lt;IMG """><SCRIPT>alert("test")</SCRIPT>">': Invalid authority (file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js#25)
         
       org.alfresco.web.scripts.PresentationScriptProcessor.executeScriptImpl(PresentationScriptProcessor.java:261)
         
      Exception: org.alfresco.web.scripts.WebScriptException - Failed to load script '/org/alfresco/components/dashlets/rssfeed.get.js (in classpath store file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts)': Wrapped java.lang.IllegalArgumentException: Invalid uri 'http://&lt;IMG """><SCRIPT>alert("test")</SCRIPT>">': Invalid authority (file:/alf/alf30_295/tomcat_share/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/dashlets/rssfeed.get.js#25)
         
       org.alfresco.web.scripts.PresentationScriptProcessor.executeScript(PresentationScriptProcessor.java:152)
         
      Server: Alfresco Enterprise v3.0.1 (295) schema 501
      Time: Dec 18, 2008 2:27:09 PM
         
      Diagnostics: Inspect Web Script (org/alfresco/components/dashlets/rssfeed.get)

        Issue Links

          Activity

          Hide
          Mike Hatfield added a comment -
          Can't reproduce this with the XSS string given. Please check again and post the exact repro steps.

          Thanks,
          Mike
          Show
          Mike Hatfield added a comment - Can't reproduce this with the XSS string given. Please check again and post the exact repro steps. Thanks, Mike
          Hide
          mkononovich added a comment - - edited
          The bug still appears on build 189.
          Steps to reproduce:
          1.Click on "Configure" link on "Alfresco Global Feed" dashlet;
          2. Enter into "URL" field the next XSS string (http:// <IMG """><SCRIPT>alert("test")</SCRIPT>"> ) -> it seems to be "OK" button became disabled;
          3. Enter any letter after http:// (e.g. something http://g <IMG """><SCRIPT>alert("test")</SCRIPT>">) -> "OK" button became enabled;
          4. Click on "OK" button and then on "Cancel" button and reload the page -> the same error is displayed.
          Show
          mkononovich added a comment - - edited The bug still appears on build 189. Steps to reproduce: 1.Click on "Configure" link on "Alfresco Global Feed" dashlet; 2. Enter into "URL" field the next XSS string (http:// <IMG """><SCRIPT>alert("test")</SCRIPT>"> ) -> it seems to be "OK" button became disabled; 3. Enter any letter after http:// (e.g. something http://g <IMG """><SCRIPT>alert("test")</SCRIPT>">) -> "OK" button became enabled; 4. Click on "OK" button and then on "Cancel" button and reload the page -> the same error is displayed.
          Hide
          Mike Hatfield added a comment -
          Thanks Max - think we're there now. CHK-7399
          Show
          Mike Hatfield added a comment - Thanks Max - think we're there now. CHK-7399
          Hide
          Steve Rigby added a comment -
          for retest in b195 or later
          Show
          Steve Rigby added a comment - for retest in b195 or later
          Hide
          mkononovich added a comment -
          Successfully validated against build 195
          Show
          mkononovich added a comment - Successfully validated against build 195

            People

            • Assignee:
              Closed Bugs
              Reporter:
              mkononovich
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: