search

liuzhe02 / bigbluebutton

Automatically exported from code.google.com/p/bigbluebutton
0 stars 0 forks source link

API meetingID spec. #1966

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
The spec for the meetingID

“Meeting IDs should only contain upper/lower ASCII letters, numbers, dashes, 
or underscores.”

The controller allows more characters than this that can potentially cause 
issues or vulnerability .  The demo page uses ' Like "Fred's Meeting"

In looking at XSS prevention.

Here are the 2 calls for create and join.

http://test-install.blindsidenetworks.com/bigbluebutton/api/create?allowStartSto
pRecording=true&attendeePW=ap&autoStartRecording=false&meetingID=%3Cscript%3Eale
rt%28%22123%22%29%3B%3C%2Fscript%3E&moderatorPW=mp&name=%3Cscript%3Ealert%28%221
23%22%29%3B%3C%2Fscript%3E&record=false&voiceBridge=72166&welcome=%3Cbr%3EWelcom
e+to+%3Cb%3E%25%25CONFNAME%25%25%3C%2Fb%3E%21&checksum=ea63bbfbbf1d2084f426f9bbf
0ff17860dc380a6

http://test-install.blindsidenetworks.com/bigbluebutton/api/join?fullName=User+6
556044&meetingID=%3Cscript%3Ealert%28%22123%22%29%3B%3C%2Fscript%3E&password=mp&
redirect=true&checksum=5b2f00a621ccf06830d8be825835b9cabf5a39b2

results of create
<meeting>
<returncode>SUCCESS</returncode>
<meetingName><script>alert("123");</script></meetingName>
<meetingID><script>alert("123");</script></meetingID>
<createTime>1437506462649</createTime>
<createDate>Tue Jul 21 15:21:02 EDT 2015</createDate> 
<voiceBridge>72166</voiceBridge> <dialNumber>613-555-1234</dialNumber>
<running>true</running>
<duration>0</duration>
.....

Not an issue with flash client, not sure about html5 client or integration 
pages that try to display this.

meeting name and welcome need to allow more options for localization and 
passing html links, not sure what can be done to remove scripts.

Larger implementations may choose to handle this thru load balancing logic.

Original issue reported on code.google.com by 207T...@gmail.com on 23 Jul 2015 at 5:42

GoogleCodeExporter commented 9 years ago 
We'll look into applying these changes.

We might have to change the accepted characters in meeting ids, because some 
integrations are not compatible with the listed spec.

Either way, the API calls should be returning the meetingName and meetingID 
parameters in an XML-encoded form that can be safely interpreted, like:

<meetingName><script>alert("123");</script></meetingName>

I wonder why that's not the case already, we might be using XML creation 
functions incorrectly...

Original comment by calvin.walton@kepstin.ca on 24 Jul 2015 at 6:49

GoogleCodeExporter commented 9 years ago

Original comment by calvin.walton@kepstin.ca on 24 Jul 2015 at 6:56