The “alias” field on the Trust Store Import Form permits entry of JavaScript

Description

Reported by @SimonWaters:

Replication Steps:

  • Login to the Openfire Admin Console

  • Navigate to TLS/SSL Certificates

  • Select 'Manage Store Contents' under ANY of the Stores (e.g. External Component Stores)

  • Select the 'import form' link

  • Set the 'Alias' field value to:

  • Set the 'Content of Certificate file' field value to:

  • Save the new alias.

Observe, when visiting the External Compents -> Trust Store page, the javascript is executed and the dialogue is shown.

Environment

None

Activity

Show:
Dave Cridland
December 21, 2016, 11:45 AM
Simon Waters
December 16, 2016, 2:57 PM

The fix for this is incomplete in 4.1beta

Escaping is missing here:
/security-certificate-details.jsp
" Below are the details of the certificate with the alias (NAME) from the"

Fixed

Assignee

Dave Cridland

Reporter

Tim Durden