Openfire 3.7.2 - Cross Site Scripting Vulnerability in Server2Server page

Scott34 · May 7, 2013, 2:11pm

Hi,

Not sure of the proper place for this discussion but hopefully this is the right way. I have also included the tags for bug reporting.

I have found a cross-site scripting vulnerability in the server2server jsp. This page handles the Server to Server settings. The parameter vulnerable to XSS is the domain parameter. To test you can simply add a script tag in to the domain field and use a valid port number. This will get persisted as well as cause a session to be taken/cause unwanted behavior such as an alert. (Example .

We can either provide the fix by using the already existing method removeXSSCharacters in StringUtils (I see in most case people use escapeHTMLTags) or use the industry wide standard of the ESAPI jar.

Thanks in Advance!

Scott

akrherz · May 7, 2013, 6:40pm

Thanks, filed as OF-671

Scott34 · May 7, 2013, 6:46pm

I have tested out the fix of using the removeXSSCharacters. We are currently using it in our product. Would it be helpful if I were to handle promoting/getting this into the openfire source code base?

akrherz · May 7, 2013, 7:47pm

Hello, I’m always looking for more committers! Do you expect to have more code than this or if this is a one-time deal, probably best just to attach a patch and I’ll send it in.

daryl

Scott34 · May 7, 2013, 7:49pm

Hey,

Currently it is just that one file, the server2server.jsp…We are currently doing some other testing on other pages to ensure we are good but I will keep you posted if we find more. I will provide the patch tomorrow.

Thanks,

Scott