[#JM-629] Additional cross-site scripting bugs in login

Openfire (ARCHIVED)

Additional cross-site scripting bugs in login

Created: 04/07/06 08:38 PM Updated: 11/12/08 09:41 AM

Component/s:

Admin Console

Affects Version/s:

2.6.0

Fix Version/s:

3.6.0

Time Tracking:

Not Specified

Issue Links:

Related to

This issue is related to:

~~OF-90~~ Cross-site scripting attack in the login form

This issue is related to:

~~JM-1489~~ Authentication bypass allowing arbitrary code execution

~~JM-1488~~ CallLogDAO in SIP Plugin enables SQL Injection

Resolution Date:	08/25/08 06:48 PM
Acceptance Test - Add?:	No

Description

« Hide

Additional cross-site scripting attacks possible in the login form.

All

Comments

Work Log

Change History

FishEye

Sort Order:

[ Permalink | « Hide ]

LG added a comment - 05/21/08 09:45 PM

Hi,

I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue.
Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue.

[ Permalink | « Hide ]

Daniel Henninger added a comment - 05/22/08 03:21 AM

Patience =) I aim to fix these and some other assorted issues for 3.5.2!

[ Permalink | « Hide ]

Daniel Henninger added a comment - 07/17/08 05:00 PM

A trivial demo of this:
http://blathersource.org:9090/login.jsp?url=%22%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22hi%22)%3C/script%3E