Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-26678

Well crafted search terms can log the profile2 tool out leaving a login page inside the tool. Rebooting server does not help the specific user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Verified
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.9.0
    • Fix Version/s: 2.9.1
    • Component/s: Profile
    • Labels:
      None
    • Environment:
      Demo version of Sakai 2.9 rc 03
      qa29 as well.
    • Previous Issue Keys:
      PRFL-781

      Description

      Possibly a blocker.
      Well crafted search terms can log the profile2 tool out leaving a login page inside the tool. Rebooting server does not help the specific user

      Proflie2
      Search term <script>alert('xss');</script>
      Press search
      Press clear history
      Click away to another part of the profile 2 tool.
      Locked out of profile 2 tool even after login or reboot of server for that account

      Could you be using part of the search term as part of the URL or some such?

        Gliffy Diagrams

          Zeplin

            Attachments

            1. Profile_Search.PNG
              Profile_Search.PNG
              13 kB
            2. s1.png
              s1.png
              32 kB
            3. s2.png
              s2.png
              43 kB
            4. s3.png
              s3.png
              13 kB

              Activity

                People

                • Assignee:
                  a.fish@lancaster.ac.uk Adrian Fish
                  Reporter:
                  a.m.berg@uva.nl Alan Berg
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Integration