Issues » XSS error on the account login page

Issue: SI-4
Date: Sep 9, 2012, 8:00:00 PM
Severity: Medium
Requires Admin Access: No
Fix Version: 2.2
Credit: Constant Contact
Description:

1.

XSS in http://dotcms.constantcontact.com/c/portal_public/login 
on the my_account_logon paramter (the User ID field on the login form)

my_account_logon='"'>'

XSS in http://dotcms.constantcontact.com/c/portal_public/login 
on the my_account_email_address parameter.

To reproduce, leave the my_account_logon param blank and set 
my_account_email_address="/>

Mitigation:

Valid workarounds:

  1. Upgrade to dotCMS 2.2+
  2. Prevent access to the admin tools to a subset of trusted IPs
  3. Override your dotCMS/html/portal/login.jsp and add the code shown here: https://github.com/dotCMS/dotCMS/commit/b2dbc79d07faaf913f5cdc7ee6e9b94144fdcf93
References
  • https://github.com/dotCMS/dotCMS/issues/1092