Issue 1966 in bigbluebutton: API meetingID spec.
6 views
Skip to first unread message
bigblu...@googlecode.com
Jul 23, 2015, 1:42:54 PM7/23/15
to bigbluebutton...@googlegroups.com
Status: Accepted
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 1966 by 207T...@gmail.com: API meetingID spec.
https://code.google.com/p/bigbluebutton/issues/detail?id=1966
The spec for the meetingID
“Meeting IDs should only contain upper/lower ASCII letters, numbers,
dashes, or underscores.”
The controller allows more characters than this that can potentially cause
issues or vulnerability . The demo page uses ' Like "Fred's Meeting"
In looking at XSS prevention.
Here are the 2 calls for create and join.
http://test-install.blindsidenetworks.com/bigbluebutton/api/create?allowStartStopRecording=true&attendeePW=ap&autoStartRecording=false&meetingID=%3Cscript%3Ealert%28%22123%22%29%3B%3C%2Fscript%3E&moderatorPW=mp&name=%3Cscript%3Ealert%28%22123%22%29%3B%3C%2Fscript%3E&record=false&voiceBridge=72166&welcome=%3Cbr%3EWelcome+to+%3Cb%3E%25%25CONFNAME%25%25%3C%2Fb%3E%21&checksum=ea63bbfbbf1d2084f426f9bbf0ff17860dc380a6
http://test-install.blindsidenetworks.com/bigbluebutton/api/join?fullName=User+6556044&meetingID=%3Cscript%3Ealert%28%22123%22%29%3B%3C%2Fscript%3E&password=mp&redirect=true&checksum=5b2f00a621ccf06830d8be825835b9cabf5a39b2
results of create
<meeting>
<returncode>SUCCESS</returncode>
<meetingName><script>alert("123");</script></meetingName>
<meetingID><script>alert("123");</script></meetingID>
<createTime>1437506462649</createTime>
<createDate>Tue Jul 21 15:21:02 EDT 2015</createDate>
<voiceBridge>72166</voiceBridge> <dialNumber>613-555-1234</dialNumber>
<running>true</running>
<duration>0</duration>
.....
Not an issue with flash client, not sure about html5 client or integration
pages that try to display this.
meeting name and welcome need to allow more options for localization and
passing html links, not sure what can be done to remove scripts.
Larger implementations may choose to handle this thru load balancing logic.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 1966 by 207T...@gmail.com: API meetingID spec.
https://code.google.com/p/bigbluebutton/issues/detail?id=1966
The spec for the meetingID
“Meeting IDs should only contain upper/lower ASCII letters, numbers,
dashes, or underscores.”
The controller allows more characters than this that can potentially cause
issues or vulnerability . The demo page uses ' Like "Fred's Meeting"
In looking at XSS prevention.
Here are the 2 calls for create and join.
http://test-install.blindsidenetworks.com/bigbluebutton/api/create?allowStartStopRecording=true&attendeePW=ap&autoStartRecording=false&meetingID=%3Cscript%3Ealert%28%22123%22%29%3B%3C%2Fscript%3E&moderatorPW=mp&name=%3Cscript%3Ealert%28%22123%22%29%3B%3C%2Fscript%3E&record=false&voiceBridge=72166&welcome=%3Cbr%3EWelcome+to+%3Cb%3E%25%25CONFNAME%25%25%3C%2Fb%3E%21&checksum=ea63bbfbbf1d2084f426f9bbf0ff17860dc380a6
http://test-install.blindsidenetworks.com/bigbluebutton/api/join?fullName=User+6556044&meetingID=%3Cscript%3Ealert%28%22123%22%29%3B%3C%2Fscript%3E&password=mp&redirect=true&checksum=5b2f00a621ccf06830d8be825835b9cabf5a39b2
results of create
<meeting>
<returncode>SUCCESS</returncode>
<meetingName><script>alert("123");</script></meetingName>
<meetingID><script>alert("123");</script></meetingID>
<createTime>1437506462649</createTime>
<createDate>Tue Jul 21 15:21:02 EDT 2015</createDate>
<voiceBridge>72166</voiceBridge> <dialNumber>613-555-1234</dialNumber>
<running>true</running>
<duration>0</duration>
.....
Not an issue with flash client, not sure about html5 client or integration
pages that try to display this.
meeting name and welcome need to allow more options for localization and
passing html links, not sure what can be done to remove scripts.
Larger implementations may choose to handle this thru load balancing logic.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
bigblu...@googlecode.com
Jul 24, 2015, 2:49:53 PM7/24/15
to bigbluebutton...@googlegroups.com
Comment #1 on issue 1966 by calvin...@kepstin.ca: API meetingID spec.
https://code.google.com/p/bigbluebutton/issues/detail?id=1966
We'll look into applying these changes.
We might have to change the accepted characters in meeting ids, because
some integrations are not compatible with the listed spec.
Either way, the API calls should be returning the meetingName and meetingID
parameters in an XML-encoded form that can be safely interpreted, like:
<meetingName><script>alert("123");</script></meetingName>
I wonder why that's not the case already, we might be using XML creation
functions incorrectly...
bigblu...@googlecode.com
Jul 24, 2015, 2:56:39 PM7/24/15
to bigbluebutton...@googlegroups.com
Updates:
Owner: ritza...@gmail.com
Cc: calvin...@kepstin.ca
Labels: Milestone-Release1.0.0
Comment #2 on issue 1966 by calvin...@kepstin.ca: API meetingID spec.
https://code.google.com/p/bigbluebutton/issues/detail?id=1966
(No comment was entered for this change.)
Owner: ritza...@gmail.com
Cc: calvin...@kepstin.ca
Labels: Milestone-Release1.0.0
Comment #2 on issue 1966 by calvin...@kepstin.ca: API meetingID spec.
https://code.google.com/p/bigbluebutton/issues/detail?id=1966
(No comment was entered for this change.)
Reply all
Reply to author
Forward
0 new messages