You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by "SebastianWagner (JIRA)" <ji...@apache.org> on 2013/09/16 08:54:52 UTC
[jira] [Commented] (OPENMEETINGS-793) Possibility of Code Injection
Vulnerability found.
[ https://issues.apache.org/jira/browse/OPENMEETINGS-793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13768111#comment-13768111 ]
SebastianWagner commented on OPENMEETINGS-793:
----------------------------------------------
I havn't check 1.png yet, but I think there is no validation of the chat messages implemented in the HTML5 version yet.
I guess we need a more general approach here as its not only about the chat message, it is almost any kind of input that will be displayed in the browser.
For instance when the (upcoming) HTML5 whiteboard is implemented. Or when you send a private message to another user. Or when you input/sign up for a new user.
There should be some kind of existing libraries that have such a string validation/escape method.
@Rahul:Your report gives us some good pointers on what to improve before we need to check, thanks :)
I do not really understand 2.png. What is the possible Vulnerability in the Flash version ?
> Possibility of Code Injection Vulnerability found.
> --------------------------------------------------
>
> Key: OPENMEETINGS-793
> URL: https://issues.apache.org/jira/browse/OPENMEETINGS-793
> Project: Openmeetings
> Issue Type: Bug
> Environment: flash version 11.2.202.243 , mozilla firefox, linux
> Reporter: rahul bhola
> Priority: Critical
> Attachments: 1.png, 2.png
>
>
> Code injection vulnerability. I was using flash version 11.2.202.243 and OM hosted at http://demo.dataved.ru/openmeetings/ . there is a possibility of code injection in chat room. I was able to pass javascript code to the browser engine in mozilla firefox (linux)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira