cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item405 (08 Jan 2009, KwangErnLiew)Edit Attach

Item405: ORIGURL used in template login used for example for reset password is an XSS attach vector

pencil
Priority: Urgent
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: Foswiki:Main.KennethLavrsen
Waiting For: Main.KennethLavrsen
Last Change By: KwangErnLiew
ORIGURL used in template login used for example for reset password is an XSS attach vector

http://somedomain.com/foswiki/bin/login/System/ResetPassword?origurl=/System/ResetPassword%3fusername%3d%22%3Cscript%3Ealert(%273y3%200wn%20j00%20TWIKI%27)%3C/script%3E%3brefresh%3don

Spotted by MichaelDaum. Brilliant.

Fixed by KennethLavrsen

PS. yes this also applies to TWiki 4.2.4

i forwarded this report to twiki-security@lists.sourceforge.net on 7 dec 2008

ItemTemplate edit

Summary ORIGURL used in template login used for example for reset password is an XSS attach vector
ReportedBy Foswiki:Main.KennethLavrsen
Codebase trunk
SVN Range TWiki-4.2.3, Wed, 06 Aug 2008, build 17396
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins
TargetRelease patch
ReleasedIn 1.0.0
Topic revision: r3 - 08 Jan 2009, KwangErnLiew - This page was cached on 12 Jul 2018 - 00:34.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy