[jitsi-users] XSS in chat window of meet.jit.si


#1

Hi List,

I found a XSS [1] in the chat window of meet.jit.si.

Injection can be achieved by simply escaping the double-quote:
[Copy n paste the following into the chat window]

*"<script>alert("Eto ti biskvitka:\n\n"+document.cookie);</script>*

To solve this meta-character problem, all dangerous meta characters
should be escaped into their equivalent HTML-entities [2].

I hope this helps?

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2]
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

P.S. Pozdravi na vsicki Bulgari v otbora :wink:

Ciao,

···

--
Dash Shendy
www: http://dash.za.net


#2

Hey Dash,

Great catch! (And one would should have seen :wink: )

We'll fix this today or tomorrow.

Thanks,
Emil

···

On 25.02.2014, at 02:45, Dash Shendy <neuromancer@dash.za.net> wrote:

Hi List,

I found a XSS [1] in the chat window of meet.jit.si.

Injection can be achieved by simply escaping the double-quote:
[Copy n paste the following into the chat window]

"<script>alert("Eto ti biskvitka:\n\n"+document.cookie);</script>

To solve this meta-character problem, all dangerous meta characters
should be escaped into their equivalent HTML-entities [2].

I hope this helps?

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

P.S. Pozdravi na vsicki Bulgari v otbora :wink:

Ciao,
--
Dash Shendy
www:
http://dash.za.net
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org