fixing JForum XSS error in PM module with quotes

A member reported a XSS vulnerability in stock JForum 2.1.9. We confirmed it was a vulnerability/exposure on CodeRanch as well and fixed our fork. Luckily, it was an easy fix unlike the CSRF problems last year.

In addition to saying how to fix the issue in this post, I’m going to outline some of the other techniques JForum uses to defeat XSS.  For the actual (two character) fix, scroll down to “the fix.”

What is XSS?

XSS (Cross site scripting) is a security attack. OWASP describes in well on their XSS page. In brief, XSS injects code into a web page that runs on the target computer. The injected script code can do anything that the web page can do. Which means it can use JavaScript to steal your cookies, mount other attacks, etc. Scary stuff!

  • Reflected XSS – A reflected XSS attack targets specific users but is not stored in the database of the server with the issue. You might see a reflected XSS attack if you click on a link that takes you to the page. Others going to the page normally wouldn’t see the issue.
  • Persistent XSS – A persistent XSS attack gets the attack code stored in the database of the server with the issue. It could still target a specific user (in the case of the private message issue reported here.) Or it could target all users – even non logged in users – if the same attack was made in a post instead of a private message.  I was able to reproduce this problem in posts as well.

Both types of XSS attack are bad and up to the website to prevent. So how does Jforum 2.1.X protect against XSS attacks?

Approach #1 – Use Freemarker HTML escape sequence

JForum uses Freemarker as the view technology. Freemarker allows you to specify that all HTML should be escaped. This means attacks that reply on outputting HTML characters like < (tags) or ” (attributes) will be prevented.  Instead the raw characters of &lt; and &quot; will be output instead. Which the browser will not run. As an example of this technique, the code writes:


${post.subject?default("")?html}

Approach #2 – Escape characters in Java

Approach #1 is very powerful, but it has a limitation. Forum posts typically contain HTML code. For example, you write code in a special format, bold posts, etc. JForum uses Java code to do a search and replace on the special characters in text before adding the HTML formatting. Since the Freemarker view has to be able to render the HTML formatting, it can’t use approach #1. See an example of just one of these transformations:

ViewCommon.replaceAll(text, "<", "&lt;");

This approach is not foolproof because it relies on a blacklist of “not allowed” characters and hackers are creative. But it is really hard to come up with a whitelist of allowed characters in forum posts. And worse, the characters used in attacks are ones that are used in normal writing.

Approach #3 – Limit raw HTML

While JForum does allow HTML in posts, it only allows a limited set of tags and attributes. This one does use a whitelist with code like:


private static Set welcomeTags;

private static Set welcomeAttributes;

Approach #4 – Use BB code instead of HTML

The forum also allows use of BB (bulletin board) codes. This lets you write [b] instead of <b>. If the user isn’t entering HTML, the chance of a problem is lower.

The actual problem here

The XSS vulnerability reported was caused by the interaction between approach #2 and approach #4.

Approach #2 guarantees the quotes are safe with


ViewCommon.replaceAll(tmp, "\"", "&quot;");

Approach #4 contains the following BB mapping code in bb_config.xml


<!-- COLOR -->

<match name="color" removeQuotes="true">

<regex>(?s)(?i)\[color=['"]?(.*?[^'"])['"]?\](.*?)\[/color\]</regex>

<replace>

<![CDATA[

<font color='$1'>$2</font>

]]>

</replace>

</match>

This is a problem because the replace uses single quotes instead of double quotes. The system doesn’t escape single quotes. Allowing all manners of code to be injected in the color attribute.

The fix

Luckily, there is an easy fix. Just change this one line of code in bb_config.xml to:


<font color="$1">$2</font>

I’ve tested and this does in fact solve the problem.

For more learning about XSS

If you want to learn more about XSS, I recommend reading the OWASP cheat sheet.  In particular, notice that you need to escape the code differently depending on whether you are looking at HTML or JavaScript injection. In our case, it was HTML injection because the injection was occurring as a textual HTML attribute. If it was in <script> tag or JavaScript event handler, we’d need to call a JavaScript encoding library. Also, you can learn about DOM based XSS attacks.

the art of being matrix managed (as a developer)

I was talking to someone about my experiences about being on multiple teams today and thought it would make for a good blog post. Note I said BEING on multiple teams. I did a bit of searching before writing this up and found most articles are from a manager’s point of view. This post is from a developer’s point of view.

My Background

I’ve spent the vast majority of my career to date on multiple teams simultaneously.  And I’ve had five different primary supervisors during that time (12 years). These situations have included:

  • 10-25% on one team and (most of) the rest on another
  • 40%-60% on one team and (most of) the rest on another
  • 95% on a short term project and 5% on my “primary” project
  • 5-10% on various small, short term projects

I’m going to focus on the first three scenarios as those are the most challenging to be an employee on. Small, short term projects tend to have more flexibility.

Now let’s look at what you should know if you have more than one boss.

Your primary manager doesn’t know what you do

Well, not really. Your primary manager, also known as your supervisor, knows SOME of what you do. He probably knows what you do on his project. And he probably knows the goals of your matrixed project. But not what you do from week to week.

I remember my first or second performance appraisal. My manager asked me what I did on my matrixed project. I was recently out of college and floored that the person I reported to didn’t know what I did. He said something I still remember. “As long as T isn’t complaining about you, I’m happy.” He was right. Obviously, this advice only applies if you are doing a good job. If I was causing problems T would have told my manager and he’d have know way more about what I was doing.

This means that you need to bring up the topic yourself. Tell your manager what it is you do. Write a paragraph before appraisal time as a reminder. Don’t just hope your manager reads minds or that the matrix manager shared what you think is important.

You manage your time

I’m very good at time management. If you aren’t, you are going to have to deal with it in a matrixed situation. This means you get to decide how to best divide your time. It depends on your tasks, deadlines and how you like to work. I would often batch my time. I may have only been on a project 10% of the time, but I used that as two 1.5-2 hour blocks and got a lot done in that time. If you work this way, communicate it so you don’t appear randomly unavailable.

Managing your own time is also nice because you get to choose the balance. If you are tired or frustrated with one thing, you switch to the other. This helped me with managing stress when I didn’t like one task.

It does come with the trade off of needing to be organized. You are the only one who has a full list of everything on your plate along with the priorities and due dates.

You are responsible for bringing up conflicting objectives/too much work/etc

Both/all of your managers know what work they gave you* and when they want it done. And they know that part of your time belongs to someone else.

*Well, maybe – it is easy to give someone you trust work and then forget about it. You know that type of person. Well, I gave it to C so I can consider it done. And by considering it done, I have forgotten about it. Remind your boss if you get conflicting objectives.

Adding a second manager to the equation increases the chance of this happening. When it does, you have a few options:

  1. Trading time. “Normally, I’m 25% on this project. This week I can work 40% to get us past this deadline and then next week, I’ll only be available 10%. Does that work for you?” I’ve done A LOT of this over the years. It works really well for a production problem or short term deadline. As long as you don’t miss deadlines on your other project, you don’t even have to get permission from the manager you are borrowing time from. You must pay it back for this to work. If you get a reputation for missing deadlines, this trust is gone and you no longer have the flexibility. It wasn’t a secret that I was doing this – I did it in both directions. I just didn’t ask the manager loaning time each and every instance of borrowing.
  2. Ask what the priority is within the amount of time you are assigned to that manager. And I know what you are thinking – the manager will just say everything is a priority. Push back when this happens. Insist on an answer. Give an example “since everything is the same priority; I can just pick randomly what doesn’t get done, right”. Of course not! It’s a great way to start a conversation. Then insist more on an answer. Seriously – as long as you are insisting nicely, it should be ok. Even if your manager gets a little annoyed about the discussion, it is worth it. Because the alternative is your manager being a lot annoyed that the decision your made on your own wasn’t the one he/she wanted.
  3. Ask to temporarily change your distribution of time to each project. This is different than #1 as it requires you to talk to both managers. This is not borrowing time. It is one manager (possibly grudgingly) agreeing to give up some of the time they had you to the other manager. It works if you need to be on the other project more to meet a priority that is important to both managers (or their common boss.) If both of the people you are matrixed too are in the same chain of command, this approach is more likely to work.

Notice how long these three points are. This is really important. In all fairness, it is important when you are on only one team too. But it becomes exponentially more important when you have more information about what you are doing than the person you report to.

Meetings

I found meeting “conflicts” to be harder to deal with than too much work/conflicting priorities. I think that was because I had less control over them. And because it was easier to make someone unhappy. And because it becomes a game of 20 questions to find out the information you need to know what to do.

I used a loose set of “rules” to determine what happened when I got the meeting conflicts:

  1. If the meeting was scheduled by someone important go to that (figure out how your company defines the word “important”)
  2. If both meetings were with someone of roughly equal importance (and are important enough that you can’t say no), ask what to do. Ideally ask your manager. I already agreed to meet with X about bunnies at 3pm and now Y wants to meet then about birds. What should I do?
  3. See if someone can represent you at one of the meetings.
  4. See if you can skip one of the meetings. Do you really need to go to that status meeting?
  5. See if you can reschedule one of the meetings. Maybe you can meet with your two teammates later?
  6. Tell the person to schedule the meeting second that you have a conflict and propose a new time.
  7. Ask what to do if you aren’t sure. I didn’t have to fall back to this one often, but it was helpful when I did.

“Urgent” priorities

These are fun. Notice how “urgent” is in quotes. This is because not everything is urgent that is called urgent. Even urgent things have to be prioritized. Let’s look at a few levels of urgent:

  1. “The sky is falling and your company will be in the newspaper if you don’t deal with this right now.” – This is the easiest one. You tell the manager without the emergency that you are working on Project A’s problem and have to drop everything for it. If the problem is urgent enough to make the news, your other manager will understand with just one sentence emailed/instant messaged/texted.
  2. You are agree it is urgent and more important than anything else you are doing. – Again easy. Tell the other manager what you are doing and when you expect to be available again. It might be a range. “I’ll be available in a few hours.” Or it might be “I don’t know how long this will take, but I’ll give you an update tomorrow.”
  3. It isn’t really urgent, but it will take a short time so it isn’t worth arguing about it. – A task of an hour or less often falls in this category. If it doesn’t conflict with something else you have committed to, just do it.
  4. It isn’t really urgent and doing it would prevent you from completing some other work, attending a meeting you need to attend, etc – Tell the requestor something like “I’m working on X right now and can work on your task right after this. Can it wait?” or suggest alternatives “I’m working on X right now; maybe S can do it if you need it right away”.  I was surprised how many times a direct question turned something “urgent” into something that wasn’t.
  5. If you aren’t sure, ask. – Really. “Urgent” doesn’t always mean right away. Sometimes you can provide the answer to an “urgent” question a couple hours later. But you won’t know unless you ask. And your manager won’t know you had something else important from the other manager unless you bring it up.

If all else fails

While you are learning how to work with your two bosses, some general tips:

  1. Ask your primary boss (the one who writes your performance appraisal) what to do.
  2. Get both your managers together (in person or over email) and bring up the issue.
  3. Communicate like crazy. Getting everyone to have the same expectation is critical.
  4. Know when you will be busy on each project and plan accordingly.
  5. Repeat. You know you told your manager something. He/she is busy. Just because you said you have a meeting every Wednesday at noon doesn’t mean your manager remembers that. And just because he schedules a meeting on Wednesday at noon doesn’t mean you can’t suggest it be another time. One manager scheduled a weekly status meeting during the slot our company uses for it’s Toastmasters chapter. (a public speaking club). I looked at everyone’s calendar, found another time we were all free and asked my manager if we could meet then. He said yes.

 

Remember the advantages

Your company trusts you to work in a matrixed managed style. This is good. It is more work on your part, but it is also rewarding. You get to experience multiple styles. And you get to advocate different points of view on your “other” project. After all, who knows more about your primary project than you?