Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1192

Reflective Cross-Site Scripting vulnerability on setup test page

    XMLWordPrintable

    Details

      Description

      Reported via security mailing list by Luke Arntson:

      When submitting a request to one of the unauthenticated JSP pages of OpenFire, it is possible to inject arbitrary HTML that will reflect back to a user. An attacker can use this to steal session credentials, run malicious code on a client's browser, and many other harmful issues related to malicious HTML.

      Instance:
      http://localhost:9090/setup/setup-admin-settings_test.jsp
      parameter: username

      Steps to reproduce:
      1. Load up an instance of OpenFire 4.0.x
      2. Navigate to the following url in Firefox:
      http://localhost:9090/setup/setup-admin-settings_test.jsp?username=%3Cinput%20onfocus=prompt(1)%20autofocus%3E&ldap=true
      3. Observe a Javascript prompt is presented to the user

      Remediation:
      The setup-admin-settings_test.jsp page should sanitize all input variables, and ensure that the output is sanitized as well.

        Attachments

          Activity

            People

            • Assignee:
              guus Guus der Kinderen
              Reporter:
              wroot wroot
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: