NOTE: If you are a developer, please use a private wiki based on foswiki/trunk on a daily base ...or use trunk.foswiki.org to view this page for some minimal testing.
Item405: ORIGURL used in template login used for example for reset password is an XSS attach vector
| Priority: | CurrentState: | AppliesTo: | Component: | WaitingFor: |
|---|---|---|---|---|
| Urgent | Closed | Engine | KennethLavrsen |
ORIGURL used in template login used for example for reset password is an XSS attach vector
http://somedomain.com/foswiki/bin/login/System/ResetPassword?origurl=/System/ResetPassword%3fusername%3d%22%3Cscript%3Ealert(%273y3%200wn%20j00%20TWIKI%27)%3C/script%3E%3brefresh%3donSpotted by MichaelDaum. Brilliant. Fixed by KennethLavrsen PS. yes this also applies to TWiki 4.2.4
- KennethLavrsen - 07 Dec 2008
- WillNorris - 12 Dec 2008
ItemTemplate edit
| Summary | ORIGURL used in template login used for example for reset password is an XSS attach vector |
| ReportedBy | Foswiki:Main.KennethLavrsen |
| Codebase | trunk |
| SVN Range | TWiki-4.2.3, Wed, 06 Aug 2008, build 17396 |
| AppliesTo | Engine |
| Component | |
| Priority | Urgent |
| CurrentState | Closed |
| WaitingFor | KennethLavrsen |
| Checkins | |
| TargetRelease | patch |
| ReleasedIn | 1.0.0 |
Topic revision: r3 - 08 Jan 2009 - 17:01:36 - KwangErnLiew
Tasks
- Submit and Query
- Create a new Task
- My Items
- Task Search
- All Extensions
- Changes
- Developer Tasks
- Release Blockers
- Normal Priority
- Low Priority
- New Items
- Waiting For Feedback
- Waiting For Release
- Closed
- Outstanding Items
- Outstanding Enhancements
- Recently Closed
- Input from external sources
- Non Developer Tasks
- MarketingTasks
- WebSiteTasks
- ProjectTasks
- Developer Tools
- Admin Tools
- Fixes for Rel. Notes
- Trac Browser
Tools
 |
|
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. 
