[security][CVE-2024-48933] XSS/HTML Injection login page when user contains special characters
Affected version
Version: 2.19.2
Summary
- Change the userControl regexp to allow some special characters (",< etc)
- Try to login with
dwho"
/dwho
- Double quote escapes JS from script.tpl and form from standardform.tpl
Logs
<script type="application/init">
{
"displaytab":"",
"choicetab":"",
"login":"dwho"" ,
"newwindow":0,
"appslistorder":"",
...
<input id="userfield" name="user" type="text" class="form-control" value="dwho"" trplaceholder="login" required aria-required="true"/>
Possible fixes
Use of LOGIN
in form is easy to fix: add ESCAPE=HTML to templates
However, the use in script.tpl
is tricky. escaping it as JS doesnt prevent escaping with a closing </script>
tag, and escaping it as HTML breaks the value
It seems that exposing the login in script.tpl is only used by this code in portal.coffee
if datas['login'] $("input[type=password]:first").focus() else # If there are no auto-focused fields, focus on first visible input if $("input[autofocus]").length == 0 $("input[type!=hidden]:first").focus();
So we don't really need the value, only the presence. And we could replace this JS code with conditionnal autofocus tags in the forms:
<TMPL_IF NAME="LOGIN">autofocus</TMPL_IF>