Uploaded image for project: 'Reporting Module'
  1. Reporting Module
  2. REPORT-492

Multiple stored XSS via Dimension Name and Descriptions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Code Review (Initial)
    • Priority: Could
    • Resolution: Unresolved
    • Affects Version/s: Reporting 0.7.5
    • Fix Version/s: None
    • Component/s: None
    • Complexity:
      Low

      Description

      This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:

      Pages:

      • module/reporting/indicators/editCohortDefinitionDimension.form
      • module/reporting/parameters/queryParameter.form
      • module/reporting/indicators/manageDimensions.form (executes previously injected Dimension Name scripts)
      • reporting/indicators/editCohortDefinitionDimension: name and description parameters. XSS

      Expected behavior: Wherever a dimension name is outputted to the screen, it should be escaped (XML-escaped or JS-escaped, as relevant)
      Observed behavior: If you put a <script> tag in the dimension name, the script will be executed on several pages.

      (Surely this same vulnerability exists in other screens in the reporting module, so while doing this ticket, it would be nice to also fix screens related to other reporting definitions. Alternately, look at the screens for other definition types, and create a similar ticket for any vulnerabilities found.)

        Attachments

          Activity

            People

            Assignee:
            isaaclin isaac lin
            Reporter:
            darius Darius Jazayeri
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:

                Time Tracking

                Estimated:
                Original Estimate - 4 hours
                4h
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h