Xss vulnerabilities in 3.2.2

chrisrouch · February 17, 2023, 8:38am

Hello,

We’re migrating to indico 3.2.2, so I’ve installed this on a test server. A nessus scan of this server shows XSS issues, e.g.

The following resources may be vulnerable to HTML injection :
The ‘password’ parameter of the /login/ CGI :
/login/?password=<"awapoz%20>
-------- output --------
Content-Length: 6223
Connection: keep-alive
X-Indico-URL: /login/?password=<"awapoz%20>
Set-Cookie: indico_session=f327e010-9ba2-42d9-bff5-e56613060660; E […]

(there are several pages of similar items).

Is this a real problem, and if so is there a fix or a workaround?

Thanks and regards,

Chris

ThiefMaster · February 17, 2023, 8:43am

Sorry, but where is the XSS there? Your scanner seems to consider ANY echoing a problem, but the URL being echo’d back in a header is no XSS risk whatsoever.

chrisrouch · February 17, 2023, 8:52am

Thanks for the quick answer. I think that it is complaining that it gets put into the X-Indico-URL header. I think this is not an issue and the scanner is being over-careful. Can you confirm that it is not a problem?

Thanks,

Chris

ThiefMaster · February 17, 2023, 8:55am

Exactly, headers are not even rendered as HTML anywhere…