Javascript allowed in OU names, v2.22

Bug #1549378 reported by Timothy Harding on 2016-02-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
DHIS
High
Morten Olav Hansen

Bug Description

Conducting a training and just had a user pop some javascript into the org unit name which when the user revealed it in the org unit hierarchy it would fire off the javascript. I tested this in firefox, the attached file was the result.

Is this a security risk?

On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <email address hidden>
wrote:

> Public bug reported:
>
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit hierarchy
> it would fire off the javascript. I tested this in firefox, the attached
> file was the result.
>
> ** Affects: dhis2
> Importance: Undecided
> Status: New
>
> ** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
>
> https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png
>
> --
> You received this bug notification because you are a member of DHIS 2
> developers, which is subscribed to DHIS.
> https://bugs.launchpad.net/bugs/1549378
>
> Title:
> Javascript allowed in OU names, v2.22
>
> Status in DHIS:
> New
>
> Bug description:
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit
> hierarchy it would fire off the javascript. I tested this in firefox,
> the attached file was the result.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to : <email address hidden>
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help : https://help.launchpad.net/ListHelp
>

--
Knut Staring
Dept. of Informatics, University of Oslo
Norway: +4791880522
Skype: knutstar
http://dhis2.org

Bob Jolliffe (bobjolliffe) wrote :

Yes firing off arbitrary javascript is not a good thing.

It should probably be filtered on input and escaped on output though
opinions vary a bit on approaches. I think these sorts of issues were
being targeted in the new metadata maintenance app.

On 25 February 2016 at 08:51, Knut Staring <email address hidden> wrote:
> Is this a security risk?
>
> On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <email address hidden>
> wrote:
>
>> Public bug reported:
>>
>> Conducting a training and just had a user pop some javascript into the
>> org unit name which when the user revealed it in the org unit hierarchy
>> it would fire off the javascript. I tested this in firefox, the attached
>> file was the result.
>>
>> ** Affects: dhis2
>> Importance: Undecided
>> Status: New
>>
>> ** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
>>
>> https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png
>>
>> --
>> You received this bug notification because you are a member of DHIS 2
>> developers, which is subscribed to DHIS.
>> https://bugs.launchpad.net/bugs/1549378
>>
>> Title:
>> Javascript allowed in OU names, v2.22
>>
>> Status in DHIS:
>> New
>>
>> Bug description:
>> Conducting a training and just had a user pop some javascript into the
>> org unit name which when the user revealed it in the org unit
>> hierarchy it would fire off the javascript. I tested this in firefox,
>> the attached file was the result.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to : <email address hidden>
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help : https://help.launchpad.net/ListHelp
>>
>
>
> --
> Knut Staring
> Dept. of Informatics, University of Oslo
> Norway: +4791880522
> Skype: knutstar
> http://dhis2.org
>
> --
> You received this bug notification because you are a member of DHIS 2
> developers, which is subscribed to DHIS.
> https://bugs.launchpad.net/bugs/1549378
>
> Title:
> Javascript allowed in OU names, v2.22
>
> Status in DHIS:
> New
>
> Bug description:
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit
> hierarchy it would fire off the javascript. I tested this in firefox,
> the attached file was the result.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to : <email address hidden>
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help : https://help.launchpad.net/ListHelp

Morten Olav Hansen (mortenoh) wrote :

Fixed and backported to 2.21, 2.22

Changed in dhis2:
assignee: nobody → Morten Olav Hansen (mortenoh)
status: New → Confirmed
importance: Undecided → High
milestone: none → 2.23
status: Confirmed → Fix Released

Thanks Morten!

*Timothy Harding*
Sr. Systems Analyst, BAO Systems
+1 202-536-1541 | <email address hidden> | http://www.baosystems.com | Skype:
<email address hidden> | 2900 K Street, Suite 404, Washington D.C. 20007

On Tue, Mar 1, 2016 at 5:49 AM, Morten Olav Hansen <
<email address hidden>> wrote:

> Fixed and backported to 2.21, 2.22
>
> ** Changed in: dhis2
> Assignee: (unassigned) => Morten Olav Hansen (mortenoh)
>
> ** Changed in: dhis2
> Status: New => Confirmed
>
> ** Changed in: dhis2
> Importance: Undecided => High
>
> ** Changed in: dhis2
> Milestone: None => 2.23
>
> ** Changed in: dhis2
> Status: Confirmed => Fix Released
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1549378
>
> Title:
> Javascript allowed in OU names, v2.22
>
> Status in DHIS:
> Fix Released
>
> Bug description:
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit
> hierarchy it would fire off the javascript. I tested this in firefox,
> the attached file was the result.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers