Skip to content

XSS on login form #1379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cgod opened this issue Feb 28, 2020 · 0 comments
Closed

XSS on login form #1379

cgod opened this issue Feb 28, 2020 · 0 comments
Labels
bug Something isn't working

Comments

@cgod
Copy link

cgod commented Feb 28, 2020

  • code-server version: code-server2.1698-vsc1.41.1-darwin-x86_64
  • OS Version: MacOS 10.14.6

Description

Login form echoes bad password back to page without any sanitization.

Steps to Reproduce

Attempt to log in with password:

"><script>alert('hi')</script>

Browser alert with message "hi" is displayed, and form shows

" required autofocus onfocus="const value=this.value;this.value='';this.value=value;">

This text could easily be hidden by starting a new tag at the end of the password, but I've left it to help illustrate the issue.

There is generally no good reason for inserting a bad password back into the input, so simply not doing that should mitigate this particular instance.

In its current state, it seems likely that a malicious site could post to this form (since there's also no CSRF protection) with a password that would inject code that could steal the site cookies, replace the login form and steal entered password, etc.
@cgod cgod added the bug Something isn't working label Feb 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cgod