XSS attack on log in page
54 views
Skip to first unread message
EKuzmin
Jul 8, 2025, 5:17:14 AMJul 8
to Jam.py Users Mailing List
I deployed jam server (v7.0.58) in our local network. I configured login and password as described in this instruction https://jam-py.com/docs/how_to/authentication/how_to_authenticate_from_custom_users_table.html
My colleague, a pentester, started checking the jam server and found the simplest XSS attack: if you enter this code "><script>alert(1)</script> in the login field, a third-party Java script is triggered.
After that, he injected Java code to intercept passwords and was able to steal the password from my test account.
My colleague, a pentester, started checking the jam server and found the simplest XSS attack: if you enter this code "><script>alert(1)</script> in the login field, a third-party Java script is triggered.
After that, he injected Java code to intercept passwords and was able to steal the password from my test account.
I ask the developers to pay attention to this vulnerability and eliminate the possibility of launching Java scripts through authorization fields.
Dean D. Babic
Jul 8, 2025, 6:59:15 AMJul 8
to Jam.py Users Mailing List
Submit a patch or use SAML or OAuth as in here:
EKuzmin
Jul 8, 2025, 7:02:41 AMJul 8
to Jam.py Users Mailing List
clicked on your link and got:
Something went wrong :-(
Something went wrong while trying to load this website; please try again later.
If it is your site, you should check your logs to determine what the problem is.
вторник, 8 июля 2025 г. в 12:59:15 UTC+2, Dean D. Babic:
Drazen Babic
Jul 8, 2025, 7:08:09 AMJul 8
to EKuzmin, Jam.py Users Mailing List
--
You received this message because you are subscribed to a topic in the Google Groups "Jam.py Users Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jam-py/1up8dV0tCGs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jam-py+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jam-py/404453c8-feb9-4498-ad76-e09b15f3ec3dn%40googlegroups.com.
Message has been deleted
Message has been deleted
Dean D. Babic
Jul 8, 2025, 11:34:32 PMJul 8
to Jam.py Users Mailing List
Here you go, in wsgi.py
import html
...
login_params['login'] = html.escape(form['login'])
login_params['password'] = html.escape(form['password'])
...
login_params['password'] = html.escape(form['password'])
...
it is not that hard. If you have people for pen testing I'm sure there are people with
some Python knowledge.
Remember, Open Source is not about requesting stuff to fix.
It is about politely asking for help IF you can't fix it yourself. So this statement:
"I ask the developers to pay attention to..."
It is about politely asking for help IF you can't fix it yourself. So this statement:
"I ask the developers to pay attention to..."
- is not how I would deal with people who are spending their own time for free.
Dr. Andrey Alekseevich Yushev did what he did, the rest is on our good will.
EKuzmin
Jul 10, 2025, 11:54:50 AMJul 10
to Jam.py Users Mailing List
Sorry if you took it as a demand: misunderstanding because I use Google Translate.
I like your JAM and the fact that it is developing.
I passed on the information about the XSS vulnerability, so I think it would be important for everyone who will use it. XSS attacks are quite common.
We will fix it ourselves, but this is our local solution and there will be no benefit for the community from it.
I like your JAM and the fact that it is developing.
I passed on the information about the XSS vulnerability, so I think it would be important for everyone who will use it. XSS attacks are quite common.
We will fix it ourselves, but this is our local solution and there will be no benefit for the community from it.
среда, 9 июля 2025 г. в 05:34:32 UTC+2, Dean D. Babic:
Reply all
Reply to author
Forward
0 new messages