Issues » Cross Site Scripting filter bypass

Issue: SI-19
Date: Apr 21, 2014, 6:15:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 2.5.4
Credit: it.sec GmbH & Co. KG – Hans-Martin Münch & Markus Piéton
Description:

The Cross Site Scripting protection, that is responsible for filtering user input to provide a sanitized representation of potentially harmful input, is flawed and can easily be circumvented. This leads to a range of vulnerabilities that allow attackers to change the layout of the web site and possibly compromise visiting clients. Cross Site Scripting is often used by attackers to show fake login screens that send the provided credentials to a attacker controlled server.

Dotcms provides a XSS filter intended to prevent XSS vulnerabilities.  This filter can be extended, either through updating the filtering regex or providing a separate filter/implementation of the filter.  

As the report says, Dotcms cannot block all XSS scripting from the administrative tooling or prevent customers from implementing code that does not sanitize incoming requests.  Such code would hobble users from entering specific html and JavaScript code required for their specific implementations and implementations using future technologies.

Mitigation:

Customer can update specific implementation, the XSS regex and or implement a plugin that includes a XSS workflow actionlet to prevent XSS (or any scripting) from being included in submitted content.