Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-26678

Well crafted search terms can log the profile2 tool out leaving a login page inside the tool. Rebooting server does not help the specific user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Verified
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.9.0
    • Fix Version/s: 2.9.1
    • Component/s: Profile
    • Labels:
      None
    • Environment:
      Demo version of Sakai 2.9 rc 03
      qa29 as well.
    • Previous Issue Keys:
      PRFL-781

      Description

      Possibly a blocker.
      Well crafted search terms can log the profile2 tool out leaving a login page inside the tool. Rebooting server does not help the specific user

      Proflie2
      Search term <script>alert('xss');</script>
      Press search
      Press clear history
      Click away to another part of the profile 2 tool.
      Locked out of profile 2 tool even after login or reboot of server for that account

      Could you be using part of the search term as part of the URL or some such?

        Gliffy Diagrams

          Zeplin

            Attachments

            1. Profile_Search.PNG
              13 kB
              Oliver Williams
            2. s1.png
              32 kB
              Alan Berg
            3. s2.png
              43 kB
              Alan Berg
            4. s3.png
              13 kB
              Alan Berg

              Activity

                People

                Assignee:
                a.fish@lancaster.ac.uk Adrian Fish
                Reporter:
                a.m.berg@uva.nl Alan Berg
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Git Integration