This repository was archived by the owner on Dec 19, 2023. It is now read-only.
Fixing XSS in SIP plugin#1
Open
hunterale wants to merge 2 commits into
Open
Conversation
|
👋 Hello, @akrherz - @hunterale has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment ( If you have any questions or need support, come and join us on our community Discord! @akrherz & @hunterale - thank you for your efforts in securing the world’s open source code! 🎉 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-other-openfire-sip-plugin/
⚙️ Description *
In the page showing SIP Phone Mappings, the (dangerous) username characters that can cause an XSS are transformed in a way the are not dangerous any more, preserving the correct name visualization of the username
💻 Technical Description *
The XSS payload was inserted in the html template without escaping/encoding the dangerous characters. The fix is the followings: creating a StringUtils class (the same used in the Openfire parent project) with a method that HTML-escapes dangerous characters and using the method to sanitize the payload so it doesn't work any more
🐛 Proof of Concept (PoC) *
The video shows the triggered xss by the payload reported at the bounty url. The version of SIP plugin in video is 1.2.6 installed from the official marketplace
triggered_xss.mp4
🔥 Proof of Fix (PoF) *
The video shows that inserting the xss payload, the xss is not triggered anymore. The SIP plugin is the fixed version (snapshot-1.2.7)
fixed_xss_sip_plugin.mp4
👍 User Acceptance Testing (UAT)
After the fix, the page is still working correctly as before the fix and the XSS is not triggered anymore