Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.0.RC1
-
Fix Version/s: 3.0, EE-1.8.2.GA_P04
-
Component/s: Framework
-
Labels:None
-
Environment:ICEfaces
-
Assignee Priority:P2
-
ICEsoft Forum Reference:
Description
If the ice.focus parameter is set to contain JavaScript, this may be executed on a subsequent page view.
As mentioned in the forum post, setting ice.focus:
ice.focus=form.starSearchClient');alert('Xss
will allow the JavaScript to be executed because the page contains:
Ice.focus.setFocus('form.startSearclClient');alert('Xss');
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
A similar bug may be present in ICEfaces 3.0, so some investigation is required.
Show
Ted Goddard
added a comment - A similar bug may be present in ICEfaces 3.0, so some investigation is required.
This issue was already fixed for ICEfaces 1.8 code, see ICE-5181.
Also the code was later ported to ICEfaces 2.* and 3.*, see ICE-5881.
Show
Mircea Toma
added a comment - This issue was already fixed for ICEfaces 1.8 code, see ICE-5181.
Also the code was later ported to ICEfaces 2.* and 3.*, see ICE-5881 .
The risk of this in terms of an actual cross-site scripting attack is very small: ice.focus fields are not shared between users, so if the attacker is able to set the ice.focus field, they are likely able to execute arbitrary JavaScript in the page already. It does not seem likely that an attacker could create a clickable URL containing a malicious ice.focus parameter, as the ice.focus is not a session scope attribute, it is only echoed to the view making the request (and with just a URL, the attacker does not have access to the view identifier).
In any case, the parameter is intended to contain a component ID only, so this should be fixed.