Openfire (ARCHIVED)
  1. Openfire (ARCHIVED)
  2. JM-629

Additional cross-site scripting bugs in login

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 3.6.0
    • Component/s: Admin Console
    • Labels:
      None

      Description

      Additional cross-site scripting attacks possible in the login form.

        Issue Links

          Activity

          Hide
          LG added a comment -

          Hi,

          I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue.
          Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue.

          LG

          Show
          LG added a comment - Hi, I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue. Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue. LG
          Hide
          Daniel Henninger added a comment -

          Patience =) I aim to fix these and some other assorted issues for 3.5.2!

          Show
          Daniel Henninger added a comment - Patience =) I aim to fix these and some other assorted issues for 3.5.2!
          Show
          Daniel Henninger added a comment - A trivial demo of this: http://blathersource.org:9090/login.jsp?url=%22%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22hi%22)%3C/script%3E

            People

            • Assignee:
              Daniel Henninger
              Reporter:
              Matt Tucker
            • Votes:
              7 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development