Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

XSS in server name field

Description

In testing nightly openfire_2017-09-28.deb it is noted that suffixing the server name with "<plaintext> causes rendering issues in the console (see attached)

The server name should be escaped on display.

The server name validation should be enhanced further to exclude special characters(RFC1035 defined permitted characters and syntax).

This is a security concern but low risk. It may be an issue if combined with other security issues. e.g. It is noted many of the set-up screen values are also vulnerable to CSRF currently, but will raise separate tickets for those issues.

Environment

None

Attachments

2

Activity

Show:

Simon Waters October 11, 2017 at 9:24 AM

These properties also need escaping on dns-check.jsp and presumably elsewhere in the Admin console.

Simon Waters October 11, 2017 at 9:23 AM

xmpp.domain similarly affected on index.jsp.

Simon Waters October 11, 2017 at 8:41 AM

Specifically on the server-properties.jsp I have

 

xmpp.fqdn

debian2.surevine.net<plaintext>

 

This corrupts the index.jsp page.

Fixed

Details

Assignee

Reporter

Labels

Expected Effort

Minimal

Components

Fix versions

Affects versions

Priority

Created October 11, 2017 at 8:36 AM
Updated November 16, 2017 at 9:32 PM
Resolved November 16, 2017 at 9:32 PM