[LDEV-4600] forgotPasswordChange.jsp passess key label as parameter but then it is not being sanitise for XSS injection - LAMS

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1, 3.0
Fix Version/s: 3.1, 3.0
Component/s: General
Labels:
None

Description

Marcino,

I believe we fixed this for password request, but it seems that we missed this one for when a user change its password.

As we are passing the key as a get parameter and then we print that, it is possible for an attacker to embed some XSS:

http://localhost:8080/lams/forgotPasswordChange.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E

Can you please change the logic of this or sanitize the variable before displaying it on the page?

Credit goes to Nikola Kojic from RAS-IT company for reporting this.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Marcin Cieslak added a comment - 15/Jun/18 2:00 PM

Please test, especially whether key sanitation does allows the password to be changed successfully.

Show

Marcin Cieslak added a comment - 15/Jun/18 2:00 PM Please test, especially whether key sanitation does allows the password to be changed successfully.

Hide

Permalink

Ernie Ghiglione added a comment - 15/Jun/18 6:27 PM

Thanks Marcino

Show

Ernie Ghiglione added a comment - 15/Jun/18 6:27 PM Thanks Marcino

People

Assignee:

Marcin Cieslak

Reporter:

Ernie Ghiglione

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

11/Jun/18 7:49 PM

Updated:

15/Jun/18 6:27 PM

Resolved:

15/Jun/18 2:00 PM

Development