| Severity: | Important |
| Vendor: | The Apache Software Foundation |
| Versions Affected: | Jetspeed 2.2.0 to 2.2.2 |
| Jetspeed 2.3.0 | |
| The unsupported Jetspeed 2.1.x versions may be also affected | |
| Mitigation: | 2.2.0 - 2.3.0 users should upgrade to 2.3.1 |
| Credit: | This issue was discovered by Andreas Lindh |
| References: | http://tomcat.apache.org/security.html |
The Import/Export function in the Portal Site Manager, part of the Jetspeed Administrative Portlets, is vulnerable to a path traversal via specially crafted file names in ZIP archives. Any user with permission to upload files via this function can upload a file with a name like "../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This is because the code that performs the unzipping of the archive does not check the validity of the file names before writing them to disk. This can be turned into code execution by uploading a .jsp file and writing it to somewhere on the file system where the web server will execute it when visited
| Severity: | Important |
| Vendor: | The Apache Software Foundation |
| Versions Affected: | Jetspeed 2.3.0 |
| Mitigation: | 2.3.0 users should upgrade to 2.3.1 |
| Credit: | This issue was discovered by Andreas Lindh |
| References: | http://tomcat.apache.org/security.html |
The Jetspeed User Manager service, part of the Jetspeed Administrative Portlets, is vulnerable to SQL injection. When performing a search in these tools, the 'user' and 'role' parameters of the request can be injected to alter the logic of the subsequent SQL statement.
There is also an authorization flaw at play here since the above URLs can be reached without being authenticated in Jetspeed.
Given this URL:
http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=json&results=10&start=0&sort=userName&dir=asc&name=&roles=foo%27%20
| Severity: | Important |
| Vendor: | The Apache Software Foundation |
| Versions Affected: | Jetspeed 2.2.0 to 2.2.2 |
| Jetspeed 2.3.0 | |
| The unsupported Jetspeed 2.1.x versions may be also affected | |
| Mitigation: | 2.2.0 - 2.3.0 users should upgrade to 2.3.1 |
| Credit: | This issue was discovered by Andreas Lindh |
| References: | http://tomcat.apache.org/security.html |
The functionality to add a link, page, or folder, is vulnerable to persistent Cross Site Scripting. This is because it is possible to include HTML tags in the object's name, such as is the example below where a page object is being renamed after creation.
Given this AJAX request:
POST /jetspeed/services/pagemanagement/info/.psml/_user/andreas/foobar.psml?
_type=json HTTP/1.1
Host: 192.168.2.4:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101
Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.2.4:8080/jetspeed/ui/_user/andreas/foobar.psml
Content-Length: 60
Cookie: JSESSIONID=F95E2034A086BE172EF816FF2C853BE9;
JS2TOOLBOX=TAB=theme&CAT=Administration
Connection: close
title=foobar</a></li><script>alert(document.domain)</script>
Which results in the following content in the server response:
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<title>foobar</a></li><script>alert(document.domain)</script></title>
Note that this code will be executed every time someone visits that space.
| Severity: | Important |
| Vendor: | The Apache Software Foundation |
| Versions Affected: | Jetspeed 2.2.0 to 2.2.2 |
| Jetspeed 2.3.0 | |
| The unsupported Jetspeed 2.1.x versions may be also affected | |
| Mitigation: | 2.2.0 - 2.3.0 users should upgrade to 2.3.1 |
| Credit: | This issue was discovered by Andreas Lindh |
| References: | http://tomcat.apache.org/security.html |
The URI path directory after /portal is vulnerable to reflected Cross Site Scripting. By visiting the following URL, a JavaScript pop-up will appear when the mouse is moved over the minimize/maximize buttons (may differ for different UI versions). Note this issue is only reproduced on Firefox browser.
Given this URL:
http://192.168.2.9:8080/jetspeed/portal/foo%22onmouseover%3d%22alert%281%29?URL=foo/bar
In the HTML response there is script:
<a href="http://192.168.2.4:8080/jetspeed/portal/_ns:..._/foo"onmouseover="alert(1)"
title="Minimize" class="action portlet-action" ><img src="/jetspeed/decorations/images/minimized.gif" alt="Minimize" border="0"/></a>
| Severity: | Important |
| Vendor: | The Apache Software Foundation |
| Versions Affected: | Jetspeed 2.3.0 |
| Mitigation: | 2.3.0 users should upgrade to 2.3.1 |
| Credit: | This issue was discovered by Andreas Lindh |
| References: | http://tomcat.apache.org/security.html |
The Jetspeed User Manager services are vulnerable to unauthorized access. The following APIs are not restricted by Jetspeed Security:
GET http://host/jetspeed/services/usermanager/users/
GET http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/
DELETE http://host/jetspeed/services/usermanager/users/{name}/
In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed Security, requiring Administrative rights.