Uploaded image for project: 'Reporting Module'
  1. Reporting Module
  2. REPORT-492

Multiple stored XSS via Dimension Name and Descriptions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Code Review (Initial)
    • Priority: Could
    • Resolution: Unresolved
    • Affects Version/s: Reporting 0.7.5
    • Fix Version/s: None
    • Component/s: None
    • Complexity:
      Low

      Description

      This XSS reflection security risk was discovered during the January 2013 FlossHack event and credited to Kevin Jacobs:

      Pages:

      • module/reporting/indicators/editCohortDefinitionDimension.form
      • module/reporting/parameters/queryParameter.form
      • module/reporting/indicators/manageDimensions.form (executes previously injected Dimension Name scripts)
      • reporting/indicators/editCohortDefinitionDimension: name and description parameters. XSS

      Expected behavior: Wherever a dimension name is outputted to the screen, it should be escaped (XML-escaped or JS-escaped, as relevant)
      Observed behavior: If you put a <script> tag in the dimension name, the script will be executed on several pages.

      (Surely this same vulnerability exists in other screens in the reporting module, so while doing this ticket, it would be nice to also fix screens related to other reporting definitions. Alternately, look at the screens for other definition types, and create a similar ticket for any vulnerabilities found.)

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              isaaclin isaac lin
              Reporter:
              darius Darius Jazayeri
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h