A vulnerability has been discovered in WebGUI that could allow an attacker to inject arbitrary HTML into pages, causing undesired operation. The vulnerability is that it is possible for a user doing anonymous registration to create a user name containing arbitrary HTML, which is then used to create Collaboration System posts (or other assets) which will display the injected HTML. It can also cause problems with the Admin Console accordian not displaying, due to a version tag being created with the offending user name.

Attached is a patch to apply to WebGUI version 7.0 or later that will stop users from creating a user name with HTML or JavaScript in them. To apply the patch:

• Save the attached file to your WebGUI directory
• Open a terminal
• Type: cd /your/webgui/directory
• Type: patch -b -p0 < xss-patch.txt
• Restart WebGUI

If you do not feel comfortable doing the above actions, alter the  'lib/WebGUI/Operation/User.pm' file as follows:

1. Around line 430, before the line beginning if (($existingUserId eq $postedUserId || ($postedUserId eq "new" &&, insert the following lines:
• my $postedUsername = $session->form->process("username");
• $postedUsername = WebGUI::HTML::filter($postedUsername, "all");
2. Around line 430, replace the text $session->form->process("username") with
   
• $postedUsername
3. Around line 435, repliace the text $session->form->process("username") with
   
• $postedUsername
4. Around line 461, remove the line beginning with my $username = $session->form->process("username");
5. Around line 462, replace the line beginning with $error = '<ul>' . sprintf($i18n->get(77) with
• $error = '<ul>' . sprintf($i18n->get(77), $postedUsername, $postedUsername, $postedUsername,  $session->datetime->epochToHuman($session->datetime->time(),"%y")).'</ul>';