cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item13739 (10 Oct 2015, GeorgeClark)Edit Attach

Item13739: LoginName is not validated and presents XSS path.

pencil
Priority: Security
Current State: Closed
Released In: 2.0.2
Target Release: patch
Applies To: Engine
Component: LoginManager
Branches: master
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
This tasks addressed validation or encoding of the parameters used during registration and login.

  • Registration parameters are now all entity encoded. Previously there was some encoding done, but it was insufficient to block all XSS paths.
  • The xss path during login was in the generation of an error message. That path is now blocked.

No further administrator action is needed.
Topic revision: r8 - 10 Oct 2015, GeorgeClark - This page was cached on 25 May 2018 - 10:55.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy