We're updating the issue view to help you get more done. 

XSS in server name field

Description

In testing nightly openfire_2017-09-28.deb it is noted that suffixing the server name with "<plaintext> causes rendering issues in the console (see attached)

The server name should be escaped on display.

The server name validation should be enhanced further to exclude special characters(RFC1035 defined permitted characters and syntax).

This is a security concern but low risk. It may be an issue if combined with other security issues. e.g. It is noted many of the set-up screen values are also vulnerable to CSRF currently, but will raise separate tickets for those issues.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Simon Waters
October 11, 2017, 8:41 AM

Specifically on the server-properties.jsp I have

 

xmpp.fqdn

debian2.surevine.net<plaintext>

 

This corrupts the index.jsp page.

Simon Waters
October 11, 2017, 9:23 AM

xmpp.domain similarly affected on index.jsp.

Simon Waters
October 11, 2017, 9:24 AM

These properties also need escaping on dns-check.jsp and presumably elsewhere in the Admin console.

Assignee

Dave Cridland

Reporter

Simon Waters

Labels

Expected Effort

Minimal

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Minor
Configure