We're updating the issue view to help you get more done. 

Reflective Cross-Site Scripting vulnerability on setup test page

Description

Reported via security mailing list by Luke Arntson:

When submitting a request to one of the unauthenticated JSP pages of OpenFire, it is possible to inject arbitrary HTML that will reflect back to a user. An attacker can use this to steal session credentials, run malicious code on a client's browser, and many other harmful issues related to malicious HTML.

Instance:
http://localhost:9090/setup/setup-admin-settings_test.jsp
parameter: username

Steps to reproduce:
1. Load up an instance of OpenFire 4.0.x
2. Navigate to the following url in Firefox:
http://localhost:9090/setup/setup-admin-settings_test.jsp?username=%3Cinput%20onfocus=prompt(1)%20autofocus%3E&ldap=true
3. Observe a Javascript prompt is presented to the user

Remediation:
The setup-admin-settings_test.jsp page should sanitize all input variables, and ensure that the output is sanitized as well.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Daryl Herzmann
November 13, 2017, 4:06 PM

I wonder if the fix for helped with this issue...

Fixed

Assignee

Guus der Kinderen

Reporter

wroot

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Minor
Configure