Description:
In XSSValue which is enabled to mitigate cross-site scripting attack [1], verification is done against the patterns configured in xss-patterns.properties [2]. Since there is a pattern as "alert(.*?)", this case fails. Validation will fail for all actions that have the word alert.
[1] https://docs.wso2.com/display/ADMIN44x/Mitigating+Cross+Site+Scripting+Attacks
[2] https://github.com/wso2-support/carbon4-kernel/blob/support-4.4.35/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/valve/XSSValve.java#L107
Fix
In the /repository/conf/security/xss-patterns.properties file, there is a pattern defined as pattern14=alert(.?)*.
Replace it with the following pattern
pattern14=alert\((.*?)\)
Above changes will fix the XSS issue which AAA life is facing when they have enabled the XSS configuration.
To enable the XSS configuration, do the following in the carbon.xml file.
- Need to add the following value under the tag of the configuration under the section.
commonauth
After the modification configuration will be as follows.
true
allow
commonauth
2. Need to add the following configuration within the element of the /repository/conf/tomcat/catalina-server.xml file.
Description:
In XSSValue which is enabled to mitigate cross-site scripting attack [1], verification is done against the patterns configured in xss-patterns.properties [2]. Since there is a pattern as "alert(.*?)", this case fails. Validation will fail for all actions that have the word alert.
[1] https://docs.wso2.com/display/ADMIN44x/Mitigating+Cross+Site+Scripting+Attacks
[2] https://github.com/wso2-support/carbon4-kernel/blob/support-4.4.35/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/valve/XSSValve.java#L107
Fix
In the /repository/conf/security/xss-patterns.properties file, there is a pattern defined as pattern14=alert(.?)*.
Replace it with the following pattern
pattern14=alert\((.*?)\)
Above changes will fix the XSS issue which AAA life is facing when they have enabled the XSS configuration.
To enable the XSS configuration, do the following in the carbon.xml file.
- Need to add the following value under the tag of the configuration under the section.
true allow commonauth 2. Need to add the following configuration within the element of the /repository/conf/tomcat/catalina-server.xml file.commonauth
After the modification configuration will be as follows.