Uploaded image for project: 'LAMS Development'
  1. LAMS Development
  2. LDEV-4600

forgotPasswordChange.jsp passess key label as parameter but then it is not being sanitise for XSS injection

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1, 3.0
    • Fix Version/s: 3.1, 3.0
    • Component/s: General
    • Labels:
      None

      Description

      Marcino,

      I believe we fixed this for password request, but it seems that we missed this one for when a user change its password.

      As we are passing the key as a get parameter and then we print that, it is possible for an attacker to embed some XSS:

      http://localhost:8080/lams/forgotPasswordChange.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E

      Can you please change the logic of this or sanitize the variable before displaying it on the page?

      Credit goes to Nikola Kojic from RAS-IT company for reporting this.

        Activity

        Hide
        marcin Marcin Cieslak added a comment -
        Please test, especially whether key sanitation does allows the password to be changed successfully.
        Show
        marcin Marcin Cieslak added a comment - Please test, especially whether key sanitation does allows the password to be changed successfully.
        Hide
        ernieg Ernie Ghiglione added a comment -
        Thanks Marcino
        Show
        ernieg Ernie Ghiglione added a comment - Thanks Marcino

          People

          • Assignee:
            marcin Marcin Cieslak
            Reporter:
            ernieg Ernie Ghiglione
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development