[mapguide][MG408][New] Security: Web Admin vulnerable to cross-site scripting attac...
Steve Dang
steve.dang at autodesk.com
Sat Sep 30 02:06:00 EDT 2006
You can view the artifact detail at the following URL:
https://mapguide.osgeo.org/servlets/Scarab/id/MG408
Type
Defect
Artifact ID
MG408 (Security: Web Admin vulnerable to cross-site scripting attacks)
Reported by
Steve Dang
stevedang (steve.dang at autodesk.com)
New artifact details:
---------------------------------------------------------
- Operating system set to new value
All
- Platform set to new value
All
- Artifact created
- Component set to new value
Web Server Extensions
- Defect Severity set to new value
High
- Summary set to new value
Security: Web Admin vulnerable to cross-site scripting attacks
- Description set to new value
Security: Web Admin vulnerable to cross-site scripting attacks
- Priority set to new value
P1
- Version set to new value
1.0.1
- Subcomponent set to new value
Map Admin
- Steps to Reproduce set to new value
Log into the Web Admin application using a valid administrator's username and password.
Add a new user using the following data:
User ID : badadmin
User name : Big <b>Bad</b> <i>Admin</i><script>alert('The Big Bad Admin was here.')</script>
Description : Can I have your cookie?<script>alert('Your cookie is : '+document.cookie)</script>
Password and confirmation: password
Click Save.
Expected result: The user to be added with all metacharacters escaped so that the browser doesn't read the user name and description as html (i.e. the user name in the displayed user list should reproduce the above data exactly, not show 'Big Bad Admin' with the 'Bad' in bold and the 'Admin' in italics. No alert dialog box should be displayed either.)
Actual result: The user name in the list has bold and italic portions. An alert dialog pops up containing the data from the user's cookie for the admin site.
Even if you log off and log on as a different admin, the exploit is active--when the other user displays the user list (either explicitly, or by viewing logs that contain the information), the cookie is displayed. A more sophisticated exploit could invisibly redirect the user to a spoofed site to 'phish' for the user's username and password.
This problem can also be duplicated using the Add Group functionality.
- Artifact Status set to new value
New
- Target milestone set to new value
1.0.2
---------------------------------------------------------
This message was automatically generated by Project Tracker.
More information about the Mapguide_issues
mailing list