[mapguide][MG408][New] Security: Web Admin vulnerable to cross-site scripting attac...

Steve Dang steve.dang at autodesk.com
Sat Sep 30 02:06:00 EDT 2006 

You can view the artifact detail at the following URL:

    https://mapguide.osgeo.org/servlets/Scarab/id/MG408

Type
 Defect

Artifact ID
 MG408 (Security: Web Admin vulnerable to cross-site scripting attacks)

Reported by
 Steve Dang
 stevedang (steve.dang at autodesk.com)

New artifact details:
---------------------------------------------------------

- Operating system set to new value
  All
- Platform set to new value
  All
- Artifact created
- Component set to new value
  Web Server Extensions
- Defect Severity set to new value
  High
- Summary set to new value
  Security: Web Admin vulnerable to cross-site scripting attacks
- Description set to new value
  Security: Web Admin vulnerable to cross-site scripting attacks
- Priority set to new value
  P1
- Version set to new value
  1.0.1
- Subcomponent set to new value
  Map Admin
- Steps to Reproduce set to new value
  Log into the Web Admin application using a valid administrator's username and password.

Add a new user using the following data:
    User ID : badadmin
    User name : Big <b>Bad</b> <i>Admin</i><script>alert('The Big Bad Admin was here.')</script>
    Description : Can I have your cookie?<script>alert('Your cookie is : '+document.cookie)</script>
    Password and confirmation: password

Click Save.

Expected result: The user to be added with all metacharacters escaped so that the browser doesn't read the user name and description as html (i.e. the user name in the displayed user list should reproduce the above data exactly, not show 'Big Bad Admin' with the 'Bad' in bold and the 'Admin' in italics. No alert dialog box should be displayed either.)

Actual result: The user name in the list has bold and italic portions. An alert dialog pops up containing the data from the user's cookie for the admin site.

Even if you log off and log on as a different admin, the exploit is active--when the other user displays the user list (either explicitly, or by viewing logs that contain the information), the cookie is displayed. A more sophisticated exploit could invisibly redirect the user to a spoofed site to 'phish' for the user's username and password.

This problem can also be duplicated using the Add Group functionality.



- Artifact Status set to new value
  New
- Target milestone set to new value
  1.0.2

---------------------------------------------------------
This message was automatically generated by Project Tracker.

More information about the Mapguide_issues mailing list