1. 23 Mar, 2016 6 commits
    • Dave Cridland's avatar
      OF-777 CVE-2015-6973 CSRF protection (partial) · 3a6976f0
      Dave Cridland authored
      Extending the previous commit, this adds CSRF to a number of high-value target
      pages, including user password changing, dleetion, lockout, etc, and also for
      the login page (to avoid a class of attack we probably don't care about).
      
      The CSRF mechanism requires manual addition to each form, but has been
      design reviewed by Simon Waters (Surevine Ltd).
      3a6976f0
    • Dave Cridland's avatar
      ce87ab79
    • Dave Cridland's avatar
      OF-836 CVE-2015-6972 rXSS in import-keystore... · 20174b68
      Dave Cridland authored
      Reflected XSS in import-keystore-certificate.jsp via the passphrase.
      
      Reported by Florian Nivette of Sysdream.
      20174b68
    • Dave Cridland's avatar
      36bb0e80
    • Dave Cridland's avatar
      OF-836 CVE-2015-6972 MUC service description · 340f0fc9
      Dave Cridland authored
      The mucdesc parameter of muc-service-edit-form.jsp was reflected unescaped in
      the summary view at muc-service-summary.jsp
      
      This was reported by Florian Nivette of Sysdream.
      
      Fixed by escaping on output within muc-service-summary.jsp.
      
      In addition, domain validation was added on input.
      340f0fc9
    • Dave Cridland's avatar
      OF-836 CVE-2015-6972 XSS in external-components · b44bf488
      Dave Cridland authored
      The subdomain parameter in external-components-settings.jsp was reflected
      in both cases in the deletion URI as an unencoded parameter.
      
      Originally discovered by Simon Waters, then this case found by Florian
      Nivette of Sysdream.
      
      Fix is twofold:
      
      * The parameter is now encoded on output, the deletion URI is now set using
      the JSP tags instead of string construction.
      * The subdomain parameter is validated on input, making it difficult to inject
      script elements etc.
      b44bf488
  2. 21 Mar, 2016 1 commit
  3. 18 Mar, 2016 1 commit
    • akrherz's avatar
      OF-929 prevent ghosts by removing ioSession check · e5182f23
      akrherz authored
      Since the release of Openfire 3.9.3, users have reported problems with
      "ghost" sessions left on the server. After reviewing the changes that
      went into the 3.9.3 release, it seemed the fix for OF-464 may have had
      some side effect causing this.
      
      Since Igniterealtime's Openfire was reproducing OF-829, I did a test
      whereby the functional changes of Igniterealtime/Openfire#ad08cae9
      were reverted.  After 36 hours, there were no ghosts!
      
      This will likely necessitate reopening OF-464.
      e5182f23
  4. 17 Mar, 2016 1 commit
  5. 11 Mar, 2016 2 commits
  6. 10 Mar, 2016 2 commits
    • Dave Cridland's avatar
      Merge pull request #558 from guusdk/master · cd4994ca
      Dave Cridland authored
      Prevent occasional failure of CheckChainTrustedTest
      cd4994ca
    • Guus der Kinderen's avatar
      Prevent occasional failure of CheckChainTrustedTest · 3ed99368
      Guus der Kinderen authored
      There's one unit test that occasionally fails. This occurs as a result of an unintended
      collision. As part of the test, many certificates are generated and stored in keystores.
      The alias used for the entry was based on the hashcode of the public ke of the certificate.
      The value range of those hashcodes is fairly small (it has only a couple of digits), which
      leads to occasional collisions, causing the test to fail.
      
      This commit replaces the hashcode-based alias with the Base64-encoded public key information.
      This ensures that aliases for distinct keys are also distinct, while ensuring that the
      aliases for equal keys are equal.
      3ed99368
  7. 07 Mar, 2016 13 commits
  8. 06 Mar, 2016 3 commits
  9. 05 Mar, 2016 2 commits
  10. 04 Mar, 2016 1 commit
  11. 03 Mar, 2016 7 commits
  12. 02 Mar, 2016 1 commit