XSS vulnerability

[VimukthiPerera]

Description:

In XSSValue which is enabled to mitigate cross-site scripting attack [1], verification is done against the patterns configured in xss-patterns.properties [2]. Since there is a pattern as "alert(.*?)", this case fails. Validation will fail for all actions that have the word alert.

[1] https://docs.wso2.com/display/ADMIN44x/Mitigating+Cross+Site+Scripting+Attacks
[2] https://github.com/wso2-support/carbon4-kernel/blob/support-4.4.35/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/valve/XSSValve.java#L107

Fix

In the /repository/conf/security/xss-patterns.properties file, there is a pattern defined as pattern14=alert(.?)*.

Replace it with the following pattern

pattern14=alert\((.*?)\)
Above changes will fix the XSS issue which AAA life is facing when they have enabled the XSS configuration.

To enable the XSS configuration, do the following in the carbon.xml file.

1. Need to add the following value under the tag of the configuration under the section.
   commonauth
   After the modification configuration will be as follows.

true allow commonauth 2. Need to add the following configuration within the element of the /repository/conf/tomcat/catalina-server.xml file.