XSS in server name field

Description

In testing nightly openfire_2017-09-28.deb it is noted that suffixing the server name with "<plaintext> causes rendering issues in the console (see attached)

The server name should be escaped on display.

The server name validation should be enhanced further to exclude special characters(RFC1035 defined permitted characters and syntax).

This is a security concern but low risk. It may be an issue if combined with other security issues. e.g. It is noted many of the set-up screen values are also vulnerable to CSRF currently, but will raise separate tickets for those issues.

Environment

None

Acceptance Test - Entry

None

Activity

Show:

Simon Waters

October 11, 2017, 8:41 AM

Copy link to comment

Specifically on the server-properties.jsp I have

xmpp.fqdn

debian2.surevine.net<plaintext>

This corrupts the index.jsp page.

Simon Waters

October 11, 2017, 9:23 AM

Copy link to comment

xmpp.domain similarly affected on index.jsp.

Simon Waters

October 11, 2017, 9:24 AM

Copy link to comment

These properties also need escaping on dns-check.jsp and presumably elsewhere in the Admin console.

Assignee

Dave Cridland

Reporter

Simon Waters

Labels

admin_console

ws3

Expected Effort

Minimal

Ignite Forum URL

None

Components

Admin Console

Fix versions

4.2.0

Affects versions

4.1.6

Priority

Minor

Configure