powered by Jive Software

Openfire 3.7.2 - Cross Site Scripting Vulnerability in Server2Server page

Hi,

Not sure of the proper place for this discussion but hopefully this is the right way. I have also included the tags for bug reporting.

I have found a cross-site scripting vulnerability in the server2server jsp. This page handles the Server to Server settings. The parameter vulnerable to XSS is the domain parameter. To test you can simply add a script tag in to the domain field and use a valid port number. This will get persisted as well as cause a session to be taken/cause unwanted behavior such as an alert. (Example .

We can either provide the fix by using the already existing method removeXSSCharacters in StringUtils (I see in most case people use escapeHTMLTags) or use the industry wide standard of the ESAPI jar.

Thanks in Advance!

Scott

Thanks, filed as OF-671

I have tested out the fix of using the removeXSSCharacters. We are currently using it in our product. Would it be helpful if I were to handle promoting/getting this into the openfire source code base?

Hello, I’m always looking for more committers! Do you expect to have more code than this or if this is a one-time deal, probably best just to attach a patch and I’ll send it in.

daryl

Hey,

Currently it is just that one file, the server2server.jsp…We are currently doing some other testing on other pages to ensure we are good but I will keep you posted if we find more. I will provide the patch tomorrow.

Thanks,

Scott