Skip to content

Server-Side Reflected XSS via POST to /gosa/password.php #14

Closed
@fmeum

Description

@fmeum

(Published here as requested by Gonicus)

The /gosa/password.php endpoint fails to sanitize the uid POST parameter, leading to a Server-Side Reflected XSS vulnerability as this parameter is later assigned to a Smarty variable of the same name and then rendered in the context of an HTML attribute in password.tpl. As a result, arbitrary JavaScript can be executed in the GOSA origin.
This vulnerability is very similar to the one reported as CVE-2014-9760, but uses a different endpoint.

Suggested fix (untested): Use set_post() to escape the value of uid before assigning it to the Smarty variable here.

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions