kartikdedhia / riches Goto Github PK

Reflected_XSS_All_Clients issue exists @ riches/login/error.jsp in branch master

Method <%=request.getParameter at line 11 of riches\login\error.jsp gets user input for the ""j_username"" element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method <%=request.getParameter at line 11 of riches\login\error.jsp. This may enable a Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 11

Code (Line #11):

Bad credentials for : <%=request.getParameter("j_username")%><br>

SQL_Injection issue exists @ riches/pages/content/oper/Newsletter.jsp in branch master

Severity: High
CWE:89
Vulnerability details and guidance
Checkmarx
Lines: 25

Code (Line #25):

                                        <td colspan="2" align="left"><s:textarea label="Body" name="body" cols="114" rows="12"/></td>

Reflected_XSS_All_Clients issue exists @ riches/pages/error.jsp in branch master

Method r.nextInt at line 9 of riches\pages\error.jsp gets user input for the getRequestURI element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method r.nextInt at line 9 of riches\pages\error.jsp. This may enable a Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 9

Code (Line #9):

    An Error has occurred. Please contact your sys admin. Error code: <%= r.nextInt() + "" %> . Page: ${pageContext.request.requestURI}.

Reflected_XSS_All_Clients issue exists @ riches/WEB-INF/src/java/com/checkmarx/samples/riches/restful/AccountResources.java in branch master

Method AddAccount at line 102 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\restful\AccountResources.java gets user input for the representation element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method AddAccount at line 102 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\restful\AccountResources.java. This may enable a Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 102 124

Code (Line #102):

    public String AddAccount(String representation) {

Code (Line #124):

    public String WriteCheck(String representation) {

Stored_XSS issue exists @ riches/pages/Backup.jsp in branch master

Method while at line 11 of riches\pages\Backup.jsp gets data from the database, for the readLine element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method p_out.print at line 12 of riches\pages\Backup.jsp. This may enable a Stored Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 11

Code (Line #11):

    while ((data = r.readLine()) != null) {

SQL Injection

Command_Injection issue exists @ riches/pages/content/oper/Admin.jsp in branch master

The application's sendMail method calls an OS (shell) command with exec, at line 66 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\oper\SendMessage.java, using an untrusted string with the command to execute.  
This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack.
The attacker may be able to inject the executed command via user input, name_, which is retrieved by the application in the rows="12"/></td> method, at line 30 of riches\pages\content\oper\Admin.jsp.

Severity: High
CWE:77
Checkmarx
Lines: 30

Code (Line #30):

                                        <td colspan="2" align="left"><s:textarea label="Body" name="body" cols="114" rows="12"/></td>

SQL_Injection issue exists @ riches/WEB-INF/src/java/com/checkmarx/samples/riches/Messages.java in branch master

The application's getMessage method executes an SQL query with list, at line 132 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\model\MessageService.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input getRemoteUser, which is read by the execute method at line 18 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\Messages.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.

Severity: High
CWE:89
Checkmarx
Lines: 20

Code (Line #20):

        messages = MessageService.getMessage(ServletActionContext.getRequest().getRemoteUser());

Reflected_XSS_All_Clients issue exists @ riches/pages/content/Security.jsp in branch master

Method url="<%=request.getParameter at line 6 of riches\pages\content\Security.jsp gets user input for the ""privacy_statement"" element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method url="<%=request.getParameter at line 6 of riches\pages\content\Security.jsp. This may enable a Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 6

Code (Line #6):

    <c:import url="<%=request.getParameter(\"privacy_statement\")%>"/>

Reflected_XSS_All_Clients issue exists @ riches/login/login.jsp in branch master

Method color="red">${param.errorMsg}</font> at line 83 of riches\login\login.jsp gets user input for the ""errorMsg"" element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method color="red">${param.errorMsg}</font> at line 83 of riches\login\login.jsp. This may enable a Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 83

Code (Line #83):

                                                    <font color="red">${param.errorMsg}</font>

SQL_Injection issue exists @ riches/WEB-INF/src/java/com/checkmarx/samples/riches/restful/AccountResources.java in branch master

The application's IsProfileExist method executes an SQL query with find, at line 241 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\model\ProfileService.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input username, which is read by the GetAccountsByName method at line 62 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\restful\AccountResources.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.

Severity: High
CWE:89
Checkmarx
Lines: 82 102 141 62

Code (Line #82):

    public String GetAccountsByName_JSON(@PathParam("username") String username) {

Code (Line #102):

    public String AddAccount(String representation) {

Code (Line #141):

    public String DeleteAccount(@PathParam("acctno") String acctno) {

Code (Line #62):

    public String GetAccountsByName(@PathParam("username") String username) {

SQL_Injection issue exists @ riches/WEB-INF/src/java/com/checkmarx/samples/riches/restful/TransactionResources.java in branch master

The application's IsProfileExist method executes an SQL query with find, at line 241 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\model\ProfileService.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The attacker would be able to inject arbitrary data into the SQL query, by simply altering the user input username, which is read by the GetTransactions method at line 101 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\restful\TransactionResources.java. This input then flows through the code to the database server, without sanitization.
This may enable an SQL Injection attack.

Severity: High
CWE:89
Checkmarx
Lines: 101 102 104 105 106 107

Code (Line #101):

    public String GetTransactions(@PathParam("username") String username,

Code (Line #102):

                           @PathParam("acctno") @DefaultValue("0422328325") String acctno,

Code (Line #104):

                           @MatrixParam("payee") String payee,

Code (Line #105):

                           @MatrixParam("amount") String amount,

Code (Line #106):

                           @QueryParam("memo") String memo,

Code (Line #107):

                           @QueryParam("id") String id){

Command_Injection issue exists @ riches/pages/common/hidden_AdminControl.jsp in branch master

The application's Runtime.getRuntime method calls an OS (shell) command with exec, at line 95 of riches\pages\common\hidden_AdminControl.jsp, using an untrusted string with the command to execute.  
This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack.
The attacker may be able to inject the executed command via user input, ""actions"", which is retrieved by the application in the request.getParameter method, at line 74 of riches\pages\common\hidden_AdminControl.jsp.

Severity: High
CWE:77
Checkmarx
Lines: 18 74

Code (Line #18):

<% String alertMessage = request.getParameter("message");

Code (Line #74):

   String cmd = request.getParameter("actions");

Reflected_XSS_All_Clients issue exists @ riches/WEB-INF/src/java/com/checkmarx/samples/riches/restful/TransactionResources.java in branch master

Method PayBill at line 63 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\restful\TransactionResources.java gets user input for the representation element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method PayBill at line 63 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\restful\TransactionResources.java. This may enable a Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 84 63

Code (Line #84):

    public String Deposit(String representation) {

Code (Line #63):

    public String PayBill(String representation)

Stored_XSS issue exists @ riches/pages/FilesViewer.jsp in branch master

Method reader.readLine at line 13 of riches\pages\FilesViewer.jsp gets data from the database, for the readLine element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method out.println at line 15 of riches\pages\FilesViewer.jsp. This may enable a Stored Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 13

Code (Line #13):

			line = reader.readLine();

Command_Injection issue exists @ riches/pages/content/oper/Newsletter.jsp in branch master

The application's sendMail method calls an OS (shell) command with exec, at line 53 of riches\WEB-INF\src\java\com\checkmarx\samples\riches\oper\SendNewsletter.java, using an untrusted string with the command to execute.  
This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack.
The attacker may be able to inject the executed command via user input, name_, which is retrieved by the application in the size="50"/></td></tr></table> method, at line 18 of riches\pages\content\oper\Newsletter.jsp.

Severity: High
CWE:77
Checkmarx
Lines: 18 25

Code (Line #18):

                            <table cellpadding="0" cellspacing="0"><tr ><td style="border:0px" width="50px"><strong>Subject:</strong></td><td style="border:0px"><s:textfield label="Subject" name="subject" size="50"/></td></tr></table>

Code (Line #25):

                                        <td colspan="2" align="left"><s:textarea label="Body" name="body" cols="114" rows="12"/></td>

Reflected_XSS_All_Clients issue exists @ riches/pages/career_details_error.jsp in branch master

Method ${pageContext.request.requestURL} at line 19 of riches\pages\career_details_error.jsp gets user input for the getRequestURL element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method ${pageContext.request.requestURL} at line 19 of riches\pages\career_details_error.jsp. This may enable a Cross-Site-Scripting attack.

Severity: High
CWE:79
Checkmarx
Lines: 19 20 21 24

Code (Line #19):

Request URL : ${pageContext.request.requestURL}

Code (Line #20):

Request URI : ${pageContext.request.requestURI}

Code (Line #21):

Query string : ${pageContext.request.queryString}

Code (Line #24):

Parameters : <c:forEach var="entry" items="${paramValues}">

SQL_Injection issue exists @ riches/pages/content/Check.jsp in branch master

Severity: High
CWE:89
Vulnerability details and guidance
Checkmarx
Lines: 40

Code (Line #40):

                                    <s:textfield name="memo" size="25"/>

SQL_Injection issue exists @ riches/pages/content/ChangePass.jsp in branch master

Severity: High
CWE:89
Vulnerability details and guidance
Checkmarx
Lines: 24

Code (Line #24):

                                 <td class="dataCell alt" align="right"><s:password name="new1" size="20"/>&nbsp;</td>