src · b44bf4880f2efb5677e62f9acb1cfbd3cbda0658 · Administrator / Openfire

OF-836 CVE-2015-6972 XSS in external-components · b44bf488

Dave Cridland authored Mar 23, 2016

The subdomain parameter in external-components-settings.jsp was reflected
in both cases in the deletion URI as an unencoded parameter.

Originally discovered by Simon Waters, then this case found by Florian
Nivette of Sysdream.

Fix is twofold:

* The parameter is now encoded on output, the deletion URI is now set using
the JSP tags instead of string construction.
* The subdomain parameter is validated on input, making it difficult to inject
script elements etc.

b44bf488

Name	Last commit	Last update
..
bin		Loading commit data...
conf		Loading commit data...
database		Loading commit data...
i18n		Loading commit data...
java		Loading commit data...
javadoc/jdk15		Loading commit data...
plugins		Loading commit data...
resources		Loading commit data...
security		Loading commit data...
spank		Loading commit data...
test		Loading commit data...
tools/anttask/org/jivesoftware/ant		Loading commit data...
web		Loading commit data...

Download source code

Download this directory