• Type: Bug
• Resolution: Fixed
• Priority: Highest
• Fix Version/s: 2.0.5
• Affects Version/s: 2.0.4
• Component/s: Authentication / Security
• Labels:

  None

[CWD-1952] Crowd login form may be vulnerable to XSS attacks

Monique Khairuliana (Inactive) made changes - 15/Aug/2019 7:06 AM

Workflow	Original: Simplified Crowd Development Workflow v2 - restricted [ 1511053 ]	New: JAC Bug Workflow v3 [ 3365404 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 07/Jul/2016 6:19 AM

Workflow

Original: Simplified Crowd Development Workflow v2 [ 1393061 ]

New: Simplified Crowd Development Workflow v2 - restricted [ 1511053 ]

Owen made changes - 12/May/2016 2:52 AM

Workflow

Original: Crowd Development Workflow v2 [ 273707 ]

New: Simplified Crowd Development Workflow v2 [ 1393061 ]

jawong.adm made changes - 15/Dec/2010 10:50 PM

Workflow

Original: JIRA Bug Workflow v2 [ 212455 ]

New: Crowd Development Workflow v2 [ 273707 ]

SarahA made changes - 05/Jul/2010 4:13 AM

Security

Original: Reporters and Developers [ 10071 ]

SarahA made changes - 25/Jun/2010 3:59 AM

Description

Original: We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. * An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation. This issue is reported in our security advisory on this page: http://confluence.atlassian.com/x/AawCDQ You can read more about XSS attacks at cgisecurity, CERT and other places on the web: * http://www.cgisecurity.com/xss-faq.html * http://www.cert.org/advisories/CA-2000-02.html

New: *Details of the vulnerability:* We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. XSS vulnerabilities potentially allow an attacker to embed their own Javascript or code into a Crowd page. An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation. This issue is reported in our security advisory on this page: http://confluence.atlassian.com/x/AawCDQ You can read more about XSS attacks at cgisecurity, CERT and other places on the web: * http://www.cgisecurity.com/xss-faq.html * http://www.cert.org/advisories/CA-2000-02.html *Mitigation:* If you cannot upgrade to Crowd 2.0.5 immediately, you can fix this XSS vulnerability by disallowing request parameters in generated URLs. You can globally turn off the inclusion of request parameters in generated URLs by editing your WebWork properties file: # Edit the {{webwork.properties}} file located at {{\{CROWD-INSTALLATION-DIRECTORY\}\crowd-webapp\WEB-INF\classes\webwork.properties}}. # Add the following property as a new line in the file: {code} webwork.url.includeParams=none {code} # Save the file. # Restart Crowd. The WebWork documentation has more about the [webwork.properties|http://www.opensymphony.com/webwork/wikidocs/webwork.properties.html] file.

SarahA made changes - 24/Jun/2010 5:38 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

shihab made changes - 24/Jun/2010 5:32 AM

Description

Original: We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. * An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. * An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation. This issue is reported in our security advisory on this page: http://confluence.atlassian.com/x/AawCDQ You can read more about XSS attacks at cgisecurity, CERT and other places on the web: * http://www.cgisecurity.com/xss-faq.html * http://www.cert.org/advisories/CA-2000-02.html

New: We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. * An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation. This issue is reported in our security advisory on this page: http://confluence.atlassian.com/x/AawCDQ You can read more about XSS attacks at cgisecurity, CERT and other places on the web: * http://www.cgisecurity.com/xss-faq.html * http://www.cert.org/advisories/CA-2000-02.html

David O'Flynn [Atlassian] made changes - 24/Jun/2010 5:24 AM

Description

Original: We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. * An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. * An attacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation. This issue is reported in our security advisory on this page: http://confluence.atlassian.com/x/AawCDQ You can read more about XSS attacks at cgisecurity, CERT and other places on the web: * http://www.cgisecurity.com/xss-faq.html * http://www.cert.org/advisories/CA-2000-02.html

New: We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crowd login form. * An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. * An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation. This issue is reported in our security advisory on this page: http://confluence.atlassian.com/x/AawCDQ You can read more about XSS attacks at cgisecurity, CERT and other places on the web: * http://www.cgisecurity.com/xss-faq.html * http://www.cert.org/advisories/CA-2000-02.html

SarahA created issue - 24/Jun/2010 5:18 AM