Openfire (ARCHIVED)

Additional cross-site scripting bugs in login

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 2.6.0
  • Fix Version/s: 3.6.0
  • Component/s: Admin Console
  • Labels:
    None
  • Acceptance Test - Add?:
    No

Description

Additional cross-site scripting attacks possible in the login form.

Issue Links

is related to

Bug - A problem which impairs or prevents the functions of the product. OF-90 Cross-site scripting attack in the login form

  • Blocker - Blocks development and/or testing work, production could not run.
  • Resolved - A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.

Bug - A problem which impairs or prevents the functions of the product. JM-1489 Authentication bypass allowing arbitrary code execution

  • Blocker - Blocks development and/or testing work, production could not run.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Bug - A problem which impairs or prevents the functions of the product. JM-1488 CallLogDAO in SIP Plugin enables SQL Injection

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
LG added a comment -

Hi,

I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue.
Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue.

LG

Show
LG added a comment - Hi, I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue. Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue. LG
Hide
Permalink
Daniel Henninger added a comment -

Patience =) I aim to fix these and some other assorted issues for 3.5.2!

Show
Daniel Henninger added a comment - Patience =) I aim to fix these and some other assorted issues for 3.5.2!
Hide
Permalink
Daniel Henninger added a comment -

A trivial demo of this:
http://blathersource.org:9090/login.jsp?url=%22%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22hi%22)%3C/script%3E

Show
Daniel Henninger added a comment - A trivial demo of this: http://blathersource.org:9090/login.jsp?url=%22%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22hi%22)%3C/script%3E

People

  • Assignee:
    Daniel Henninger
    Reporter:
    Matt Tucker
Vote (7)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved: