-
FEATURED COMPONENTS
First time here? Check out the FAQ!
During our security analysis we have found that POST and GET HTTP methods are interoperable for the DHtmlUpdateServlet, its same for other servlet too.
This vulnerability can facilitate exploitation of CSRF (Cross Site Request Forgery) or XSS (Cross Site Scripting) attacks on the web-site. Moreover, it can lead to a confidentiality problem because you can find parameters in the browser history or in the server’s logs.
Is there any security report which confirms the protection against it.
Currently we are using verion : 9.6.0.2
get contains the actual code: https://github.com/zkoss/zk/blob/master/zk/src/org/zkoss/zk/au/http/DHtmlUpdateServlet.java#L393
post is routed to get because they are expected to do the same thing (expected for most traffic): https://github.com/zkoss/zk/blob/master/zk/src/org/zkoss/zk/au/http/DHtmlUpdateServlet.java#L457
This URL is not reached by user actions, only automated Client-Engines /zkau request and responses
The distinction between post and get mostly matters when sending forms as "action", this is not the case with /zkau (the url used by the DhtmlUpdateServlet). Instead the servlet only receives Ajax calls with a payload (not get params or form content), which means that such request don't show up in the browser history, and their content is also not visible by inspecting the URL.
Additionally, the payload is encrypted when using SSL (https), which prevents MitM attacks, which cannot read the request body without the proper certificate exchange.
the DhtmlUpdateServlet doesn't serve pages. It receives client-side events and updates, and returns server-to-client updates and commands.
The other relevant servlet would be DhtmlLayoutServlet, which is in charge of receiving page requests, but the comments are mostly the same:
ZK doesn't rely on form action, so the distinction between post and get is mostly meaningless.
servlet output is expected to be the same for post and get.
As a result, this was reported a few times, but never considered to be a security risk in a ZK application.
This said, ZK is pretty flexible, and if you need to modify how the servlets act, you can absolutely extend the default servlets, modify doPost and doGet, and register your extended servlets in web.xml instead of the default layout and update servlets respectively.
Asked: 2022-12-05 22:28:59 +0800
Seen: 6 times
Last updated: Dec 06 '22