Details
-
Bug
-
Resolution: Fixed
-
Highest
-
2.0.4
-
None
Description
Details of the vulnerability:
We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. XSS vulnerabilities potentially allow an attacker to embed their own Javascript or code into a Crowd page. An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation.
This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/AawCDQ
You can read more about XSS attacks at cgisecurity, CERT and other places on the web:
Mitigation:
If you cannot upgrade to Crowd 2.0.5 immediately, you can fix this XSS vulnerability by disallowing request parameters in generated URLs. You can globally turn off the inclusion of request parameters in generated URLs by editing your WebWork properties file:
- Edit the webwork.properties file located at {CROWD-INSTALLATION-DIRECTORY}\crowd-webapp\WEB-INF\classes\webwork.properties.
- Add the following property as a new line in the file:
webwork.url.includeParams=none
- Save the file.
- Restart Crowd.
The WebWork documentation has more about the webwork.properties file.