search

javaee / javahelp

javahelp
Other
14 stars 15 forks source link

[sec] Attacker could load own helpset #36

Open glassfishrobot opened 12 years ago

glassfishrobot commented 12 years ago

javax.help.tagext.ValidateTag allows to provide the url to the hsName by a reqeust parameter, if no hsName is provided in the code an attacker could provide a link to some helpSet he controls and load it into any website. The request parameter helpset has to be validated before using it.

glassfishrobot commented 12 years ago

Reported by hme

glassfishrobot commented 12 years ago

hme said: Sorry this is wrong, because of an other bug or strange code it is not possible to provide a helpset with an URL other than the URL from the request. An attacker has to change the request URL to something he controls.

In createHelpSet() in javax.help.tagext.ValidateTag at first there is this check:

if (!hsName.startsWith("/")) {
        hsName = "/" + hsName;
    }

This adds an "/" at the beginning if there is non, so this if is never true:

if (hsName.startsWith("http")) {
        url = new URL (hsName);
        } else {
        url = new URL(request.getScheme(),
                  request.getServerName(),
                  request.getServerPort(),
                  hsName);
        }
glassfishrobot commented 7 years ago

This issue was imported from java.net JIRA JAVAHELP-36