Uploaded image for project: 'Jetspeed 2 (Retired)'
  1. Jetspeed 2 (Retired)
  2. JS2-1075

possible cross site scripting during login

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.1.4, 2.2.1
    • Security
    • None
    • all env

    Description

      user can specify during login script, which isn't html escaped in WEB-INF/templates/login/html/login.jsp page

      solution, escapeHtml input strings, like this:

      <%
      String ln = "";
      String pa = "";

      Object ln_o = session.getAttribute(LoginConstants.USERNAME);
      Object pa_o = session.getAttribute(LoginConstants.PASSWORD);

      if (ln_o != null) ln = (String)ln_o;
      if (pa_o != null) pa = (String)pa_o;

      %>
      <input type='hidden' name='j_username' value='<%= StringEscapeUtils.escapeHtml(ln) %>'/>
      <input type='hidden' name='j_password' value='<%= StringEscapeUtils.escapeHtml(pa) %>'/>

      Attachments

        Activity

          People

            ate Ate Douma
            radko.keves radko keves
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: