Select a revision to compare with:
Side by side diff
![\"type](\"http://oi64.tinypic.com/2cwkhma.jpg\")
Hi everybody
\nrecently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:
\ncurl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"<script>alert(\\\"You have been hacked!\\\");</script>\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user
will result in the following situation
It is also possible to include the same fields in the creation-user form vía UI.
\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:
\n![\"type](\"http://oi68.tinypic.com/ivhg6t.jpg\")
If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.
\n![\"type](\"http://oi64.tinypic.com/2ch6mpc.jpg\")
The same happens when you change dc:title field or any field listed in the search layout.
\n¿Is it any bugfix around this?
\nThanks,
" }, { "id" : "e73b50ca-f97f-4f27-8ac5-ec1566865b2e", "label" : "2", "active" : false, "author" : { "uid" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "name" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "email" : "pa@athento.com", "firstName" : "Paco", "lastName" : "Alías", "title" : "Member", "score" : 699, "disabled" : false, "virtual" : false, "badgeCount" : null, "notifications" : { "email" : { "name" : "email", "address" : "pa@athento.com", "notifs" : [ "EditMyAnswer", "CommentMyAnswer", "NewQuestionComment", "EditMyQuestion", "AnswerMyQuestion", "WeeklyDigest", "VoteMyQuestion", "BadgeAwarded", "VoteMyAnswer", "TagMyQuestion", "CommentMyQuestion", "NewQuestion", "NewAnswerComment", "NewAnswer" ] }, "phone" : null }, "badges" : [ "lucky", "editor", "lonesome", "commentator", "teacher", "student", "notableq", "popular" ], "loginCount" : 21, "lastLogin" : 1508941199684, "avatarUrl" : "//www.gravatar.com/avatar/9e8daa4e27c6b5b92c2e7db2a6ee8570?d=mm&s=%s" }, "created" : "2016-01-18T15:48:46.30Z", "createdAt" : "01/18/2016", "title" : "XSS in suggestion box", "content" : "Hi everybody\r\n\r\nrecently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:\r\n\r\n`curl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user`\r\n\r\nwill result in the following situation\r\n\r\n\r\nIt is also possible to include the same fields in the creation-user form vía UI.\r\n\r\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:\r\n\r\n\r\n\r\nIf you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.\r\n\r\n\r\n\r\nThe same happens when you change dc:title field or any field listed in the search layout.\r\n\r\n¿Is it any bugfix around this?\r\n\r\nThank you,\r\n\r\n\r\n\r\n", "htmlContent" : "Hi everybody
\nrecently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:
\ncurl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"<script>alert(\\\"You have been hacked!\\\");</script>\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user
will result in the following situation
It is also possible to include the same fields in the creation-user form vía UI.
\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:
\n
If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.
\n
The same happens when you change dc:title field or any field listed in the search layout.
\n¿Is it any bugfix around this?
\nThank you,
" }, { "id" : "0cd9498c-68de-4e5a-b468-287fcde2fcec", "label" : "1", "active" : false, "author" : { "uid" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "name" : "b925b8f1-0dfe-408f-a26e-053730c74ada", "email" : "pa@athento.com", "firstName" : "Paco", "lastName" : "Alías", "title" : "Member", "score" : 699, "disabled" : false, "virtual" : false, "badgeCount" : null, "notifications" : { "email" : { "name" : "email", "address" : "pa@athento.com", "notifs" : [ "EditMyAnswer", "CommentMyAnswer", "NewQuestionComment", "EditMyQuestion", "AnswerMyQuestion", "WeeklyDigest", "VoteMyQuestion", "BadgeAwarded", "VoteMyAnswer", "TagMyQuestion", "CommentMyQuestion", "NewQuestion", "NewAnswerComment", "NewAnswer" ] }, "phone" : null }, "badges" : [ "lucky", "editor", "lonesome", "commentator", "teacher", "student", "notableq", "popular" ], "loginCount" : 21, "lastLogin" : 1508941199684, "avatarUrl" : "//www.gravatar.com/avatar/9e8daa4e27c6b5b92c2e7db2a6ee8570?d=mm&s=%s" }, "created" : "2016-01-18T15:45:57.93Z", "createdAt" : "01/18/2016", "title" : "XSS in suggestion box", "content" : "Hi everybody\r\n\r\nrecently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:\r\n\r\n`curl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user`\r\n\r\nwill result in the following situation\r\n\r\n\r\nIt is also possible to include the same fields in the creation-user form vía UI.\r\n\r\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:\r\n\r\n\r\n\r\nIf you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.\r\n\r\n\r\n\r\nThe same happens when you change dc:title field or any field listed in the search layout.\r\n\r\n¿Is it any bugfix around this?\r\n\r\nThank you,\r\nPaco.\r\n\r\n\r\n", "htmlContent" : "Hi everybody
\nrecently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:
\ncurl -X POST -H \"Content-Type: application/json\" -u Administrator:Administrator -d '{ \"entity-type\": \"user\", \"id\":\"xssuser\", \"properties\":{\"username\":\"xssuser\", \"email\":\"xss@athento.com\", \"lastName\":\"XSS attack!\", \"firstName\":\"<script>alert(\\\"You have been hacked!\\\");</script>\", \"password\":\"xsspasswd\" } }' http://localhost:8080/nuxeo/api/v1/user
will result in the following situation
It is also possible to include the same fields in the creation-user form vía UI.
\nWhen you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:
\n
If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.
\n
The same happens when you change dc:title field or any field listed in the search layout.
\n¿Is it any bugfix around this?
\nThank you, Paco.
" } ] }; Versioning.getActiveVersion = function() { var versions = this.versions; for (var i=0,len=versions.length;i