Crowd Security Advisory 2010-07-05
This advisory announces a security vulnerability in earlier versions of Crowd that we have found and fixed in Crowd 2.0.5.
In this advisory:
XSS Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a cross-site scripting (XSS) vulnerability that may affect Crowd instances in a public environment. This vulnerability may allow an attacker to embed their own JavaScript into the Crowd login page. An attacker's text and script might be displayed to other people viewing the page. This is potentially damaging to your company's reputation.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Vulnerability
The Crowd login form may be vulnerable to XSS attacks. This vulnerability is tracked in CWD-1952.
This vulnerability exists in all versions of Crowd up to and including Crowd 2.0.4.
Risk Mitigation
To address the issue, we recommend that you upgrade Crowd. If you cannot upgrade immediately, you can fix the XSS vulnerability by editing your configuration to disallow request parameters in generated URLs. Details are below.
Alternatively, if you are not in a position to upgrade or edit your configuration immediately, you should configure your firewall to block Internet access to Crowd.
Fix
Crowd 2.0.5 fixes the security flaw and other bugs. See the release notes. You can download Crowd 2.0.5 from the download centre.
If you cannot upgrade immediately, you can fix this XSS vulnerability by disallowing request parameters in generated URLs. You can globally turn off the inclusion of request parameters in generated URLs by editing your WebWork properties file:
- Edit the
webwork.properties
file located at {CROWD-INSTALLATION-DIRECTORY}\crowd-webapp\WEB-INF\classes\webwork.properties
. - Add the following property as a new line in the file:
webwork.url.includeParams=none
- Save the file.
- Restart Crowd.
The WebWork documentation has more about the webwork.properties file.