[Kolab-devel] [issue4287] Kolab webadmin is missing protection against XSS and XSRF

Gunnar Wrobel issues at kolab.org
Thu Apr 1 10:15:34 CEST 2010


New submission from Gunnar Wrobel <p at rdus.de>:

The web admin protects neither against XSS
(http://de.wikipedia.org/wiki/Cross-Site_Scripting) based exploits nor agains
XSRF (http://de.wikipedia.org/wiki/Cross-Site_Request_Forgery). Both are common
exploit strategies for web applications.

In the context of the web admin it should be possible to gain admin rights if
you are a standard user. E.g. by adding JavaScript snippets into any of your
personal details stored in LDAP and directing the admin of the system to your
user page. This will execute the JavaScript and be used to create new accounts
and/or modify the admin password.

Protection against XSS requires proper HTML escaping of all output from external
sources (mainly LDAP here). Protection against XSRF usually means adding shared
tokens to all write operations.

----------
assignedto: wrobel
keyword: server, web admin
messages: 24604
nosy: bernhard, thomas, wilde, wrobel
priority: urgent
status: unread
title: Kolab webadmin is missing protection against XSS and XSRF

______________________________________
Kolab issue tracker <issues at kolab.org>
<https://issues.kolab.org/issue4287>
______________________________________




More information about the devel mailing list