[sip-comm-dev] Cross Site Scripting (XSS) Vulnerability With Manipulated SIP INVITE message


#1

Hello everyone,

I found a Cross Site Scripting (XSS) vulnerability by handling caller
information from SIP INVITE messages.

With a manipulated SIP INVITE message it is possible to inject HTML code
which will be displayed at SIP Communicator. This allows to inject a
<IMG> element and open the given URL.
The cause of the problem is, that a JLabel is used to show the
information of the caller. JLabel supports per default basic HTML
syntax. The values from the SIP INVITE message are not validated before
they are used for the message in JLabel.

EXAMPLE:

From: "<html>Test with HTML in from message <img

src='http://security.inso.tuwien.ac.at/imgs/esse.png'></html>"
<sip:USER@HOST>;tag=....

--> SIP Communicator loads an image from a remote host. This can be used
to access hosts in the local network or execute commands combined with
Cross Site Request Forgery (CSRF) attacks.

net.java.sip.communicator.impl.gui.main.call.ReceivedCallDialog.initCallLabel()
--> uses the given FROM SIP header to display it using the JOptionPane.
It uses the CallPeerSipImpl.getDisplayName() to get the name of the peer.

net.java.sip.communicator.impl.protocol.sip.CallPeerSipImpl.getDisplayName()
--> Function to get the name of the peer to display

By using label.putClientProperty("html.disable", Boolean.TRUE); the HTML
functionality of JLabel can be disabled. Attached you will also find a
bug fix. I attached also a screenshot showing how an image given in the
FROM is downloaded from the webserver and displayed by SIP Communicator.
The tcpdump shows SIP Communicator requesting the image after it
receives the INVITE message.

Maybe also other parts where JLabel is used to display
information of SIP Communicator should be checked if similar problems exist.

Regards
Christian

tcpdump-sip-communicator.pcap (6.84 KB)

xss-request (846 Bytes)

xss-fix-problem-showing-html-in-jlabel (642 Bytes)


#2

Hi Christian,

Indeed, good catch! Your patch is committed and acknowledged on our contributors page.

Thanks!
Yana

ยทยทยท

On Apr 16, 2010, at 8:03 AM, Christian Schanes wrote:

Hello everyone,

I found a Cross Site Scripting (XSS) vulnerability by handling caller
information from SIP INVITE messages.

With a manipulated SIP INVITE message it is possible to inject HTML code
which will be displayed at SIP Communicator. This allows to inject a
<IMG> element and open the given URL.
The cause of the problem is, that a JLabel is used to show the
information of the caller. JLabel supports per default basic HTML
syntax. The values from the SIP INVITE message are not validated before
they are used for the message in JLabel.

EXAMPLE:
From: "<html>Test with HTML in from message <img
src='http://security.inso.tuwien.ac.at/imgs/esse.png'></html>"
<sip:USER@HOST>;tag=....

--> SIP Communicator loads an image from a remote host. This can be used
to access hosts in the local network or execute commands combined with
Cross Site Request Forgery (CSRF) attacks.

net.java.sip.communicator.impl.gui.main.call.ReceivedCallDialog.initCallLabel()
--> uses the given FROM SIP header to display it using the JOptionPane.
It uses the CallPeerSipImpl.getDisplayName() to get the name of the peer.

net.java.sip.communicator.impl.protocol.sip.CallPeerSipImpl.getDisplayName()
--> Function to get the name of the peer to display

By using label.putClientProperty("html.disable", Boolean.TRUE); the HTML
functionality of JLabel can be disabled. Attached you will also find a
bug fix. I attached also a screenshot showing how an image given in the
FROM is downloaded from the webserver and displayed by SIP Communicator.
The tcpdump shows SIP Communicator requesting the image after it
receives the INVITE message.

Maybe also other parts where JLabel is used to display
information of SIP Communicator should be checked if similar problems exist.

Regards
Christian

<tcpdump-sip-communicator.pcap><xss-request.txt><xss-fix-problem-showing-html-in-jlabel.txt><html-image-request.png>---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@sip-communicator.dev.java.net
For additional commands, e-mail: dev-help@sip-communicator.dev.java.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@sip-communicator.dev.java.net
For additional commands, e-mail: dev-help@sip-communicator.dev.java.net