Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-1952

Crowd login form may be vulnerable to XSS attacks

    XMLWordPrintable

    Details

      Description

      Details of the vulnerability:

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. XSS vulnerabilities potentially allow an attacker to embed their own Javascript or code into a Crowd page. An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation.

      This issue is reported in our security advisory on this page:
      http://confluence.atlassian.com/x/AawCDQ

      You can read more about XSS attacks at cgisecurity, CERT and other places on the web:

      Mitigation:

      If you cannot upgrade to Crowd 2.0.5 immediately, you can fix this XSS vulnerability by disallowing request parameters in generated URLs. You can globally turn off the inclusion of request parameters in generated URLs by editing your WebWork properties file:

      1. Edit the webwork.properties file located at {CROWD-INSTALLATION-DIRECTORY}\crowd-webapp\WEB-INF\classes\webwork.properties.
      2. Add the following property as a new line in the file:
        webwork.url.includeParams=none
        
      3. Save the file.
      4. Restart Crowd.

      The WebWork documentation has more about the webwork.properties file.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            smaddox SarahA
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: