[CWD-1952] Crowd login form may be vulnerable to XSS attacks - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.0.5
Affects Version/s: 2.0.4
Component/s: Authentication / Security
Labels:
None

Bug Fix Policy:
View Atlassian Server bug fix policy

Details of the vulnerability:

We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. XSS vulnerabilities potentially allow an attacker to embed their own Javascript or code into a Crowd page. An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation.

This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/AawCDQ

You can read more about XSS attacks at cgisecurity, CERT and other places on the web:

Mitigation:

If you cannot upgrade to Crowd 2.0.5 immediately, you can fix this XSS vulnerability by disallowing request parameters in generated URLs. You can globally turn off the inclusion of request parameters in generated URLs by editing your WebWork properties file:

Edit the webwork.properties file located at {CROWD-INSTALLATION-DIRECTORY}\crowd-webapp\WEB-INF\classes\webwork.properties.
Add the following property as a new line in the file:
```
webwork.url.includeParams=none
```
Save the file.
Restart Crowd.

The WebWork documentation has more about the webwork.properties file.

Assignee:: Unassigned

Reporter:: SarahA

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 24/Jun/2010 5:18 AM

Updated:: 15/Aug/2019 7:06 AM

Resolved:: 24/Jun/2010 5:38 AM

Details

Description

Attachments

Forms

Activity

People

Dates