Uploaded image for project: 'Openfire (ARCHIVED)'
  1. Openfire (ARCHIVED)
  2. JM-629

Additional cross-site scripting bugs in login

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 3.6.0
    • Component/s: Admin Console
    • Labels:
      None

      Description

      Additional cross-site scripting attacks possible in the login form.

        Attachments

          Issue Links

            Activity

            Hide
            it2000 LG added a comment -

            Hi,

            I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue.
            Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue.

            LG

            Show
            it2000 LG added a comment - Hi, I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue. Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue. LG
            Hide
            jadestorm Daniel Henninger added a comment -

            Patience =) I aim to fix these and some other assorted issues for 3.5.2!

            Show
            jadestorm Daniel Henninger added a comment - Patience =) I aim to fix these and some other assorted issues for 3.5.2!
            Show
            jadestorm Daniel Henninger added a comment - A trivial demo of this: http://blathersource.org:9090/login.jsp?url=%22%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22hi%22)%3C/script%3E

              People

              • Assignee:
                jadestorm Daniel Henninger
                Reporter:
                matt Matt Tucker
              • Votes:
                7 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: