XSS Security issues (last version in demo)

[Rodrigo Orgaz]

We found a high potential security issue in the life demo version. It's possible to inject javascript in the parameter meetingID

[Fred Dixon]

Hi Rodrigo,

Thanks for your post.  We can see that the API examples do not strip out some characters or encode in some cases.  We will fix that.

The API examples are for testing BigBlueButton only.  If you install them on a BigBlueButton server, you'll get the following warning message when running

  sudo bbb-conf --check

# Warning: The API demos are installed and accessible from:

#

#    http://demo.bigbluebutton.org/

#

# These API demos allow anyone to access your server without authentication

# to create/manage meetings and recordings. They are for testing purposes only.

# If you are running a production system, remove them by running:

#

#    sudo apt-get purge bbb-demo

Regards,.. Fred

On Thu, Nov 19, 2015 at 9:31 AM, Rodrigo Orgaz <orgazr...@gmail.com> wrote:

We found a high potential security issue in the life demo version. It's possible to inject javascript in the parameter meetingID

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at http://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton