By: Rivera Rivera user 13 Feb 2020 at 2:53 a.m. CST

8 Responses
Rivera Rivera gravatar
I have identified that it is possible to execute JavaScript code on Import People functionality. **STEPS TO REPRODUCE:** You have to create a file with the following filename: "><img src=x onerror=alert(1)>.xlsx When you try to upload this file, the alert will be executed. **HOW TO FIX:** Apply output encoding to filename parameter. **REFERENCES:** https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet

By Rivera Rivera user 19 Feb 2020 at 4:03 a.m. CST

Rivera Rivera gravatar
This vulnerability is also exploitable on Import/Export Attributes functionality using a file with the following filename: "><img src=x onerror=alert(1)>.ldif

By Aliaksandr Samuseu staff 19 Feb 2020 at 8:16 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Rivera. Do you mean these features can be used without getting authenticated first at web UI? Otherwise it's not clear how this can be utilized by somebody except the servcies's administrators. That said, it still doesn't feel right that text in a file's name can be treated as line of code (still seems as a minor web UI bug to me, not a security threat). @Thomas Gasmyr.Mougang could you fix it?

By Rivera Rivera user 19 Feb 2020 at 10:12 a.m. CST

Rivera Rivera gravatar
Hi Aliaksandr, it could be only exploitable once you are authenticated, so as you said, only service's administrator could exploit the vulnerability. Best regards.

By Thomas Gasmyr Mougang staff 19 Feb 2020 at 4:31 p.m. CST

Thomas Gasmyr Mougang gravatar
@Aliaksandr.Samuseu I'm closing this ticket.

By Rivera Rivera user 20 Feb 2020 at 2 a.m. CST

Rivera Rivera gravatar
Hi @Thomas Gasmyr.Mougang In which Gluu version do you plan to fix this issue?

By Thomas Gasmyr Mougang staff 20 Feb 2020 at 3:05 a.m. CST

Thomas Gasmyr Mougang gravatar
This is not a security issue. Also that component will be replace in 4.2.

By Rivera Rivera user 20 Feb 2020 at 3:28 a.m. CST

Rivera Rivera gravatar
This is a self-xss vulnerability, you can review the following reference to understand the risks associated to this vulnerability: https://silentbreaksecurity.com/weaponizing-self-xss/ Anyway, are you planning to replace both components? (Import People and Import/Export Attributes)

By Thomas Gasmyr Mougang staff 20 Feb 2020 at 5:50 a.m. CST

Thomas Gasmyr Mougang gravatar
Rivera, This is open source project, you can contribute directly and we will check the merge request.