Possible XSS attack through label on 404-page
Issue date: 23-03-2018Affects versions: 12.1, 12.0, 11.2, 10.2
Issue ID: SECURITY-43
Affected Product Version(s)
This vulnerability applies to CMS 10.2.8, CMS 11.2.4, CMS 12.0.3 and CMS 12.1.0 and earlier versions.
Severity 
low
 
Description
The default template for the 404 page (supplied by Essentials) does not apply any HTML escaping when rendering the value of the pagenotfound.text label on the body of the 404 page, because that label, by default, contains an HTML link (<a> tag) to a local Essentials instance.
The lack of escaping can, when used in a real project, be exploited as an XSS vulnerability: An authenticated CMS user can modify the pagenotfound.txt label to contain javascript which can then be run inadvertently by a user with more privileges, or any delivery tier user triggering the 404 page.
Instructions
This vulnerability has been fixed for new projects starting from CMS 12.2 by converting the default pagenotfound.text resource bundle message into plain-text and changing the default 404 page template(s) provided by Essentials (ESSENTIALS-1150) to apply HTML escaping before rendering.
In projects started from earlier CMS versions existing 404 pages initially provided by Essentials might still be vulnerable, if not already customized. In order to fix those, the following template pages should be checked and if necessary modified in the following way:
pagenotfound-main.jsp
Before:
<@fmt.message key="pagenotfound.text"/><#--Skip XML escaping--></p>
After:
<@fmt.message key="pagenotfound.text" var="text"/>${text?html}</p>
pagenotfound-main.ftl
Before:
<fmt:message key="pagenotfound.text"/><%--Skip XML escaping--%>
After:
fmt:message key="pagenotfound.text" var="text"/><c:out value="${text}"/>
In addition the resource bundle message pagenotfound.text under /content/documents/administration/labels/pagenotfound path should be modified to contain no longer html tags. For example the default value provided by Essentials has been changed to:
The page you requested was not found. - [This text can be edited here: http://localhost:8080/cms/?1&path=/content/documents/administration/labels/pagenotfound]