[GERONIMO-1474] Cross site scripting vulnerabilites - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0
Fix Version/s: 1.1, 1.2
Component/s: console, security
Security Level: public (Regular issues)
Labels:
None

Patch Info:

Patch Available

Description

Reported by oliver karow:

The Web-Access-Log viewer does no filtering for html-/script-tags, and
therefore allows attacks against the user of the admin-console:

http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

Also reported:

The first one is a classical cross-site scripting in the jsp-examples:
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

GERONIMO-1474.patch
19/Jan/06 04:01
2 kB
Paul Franklin McMahan

Activity

People

Assignee:: Aaron Mulder

Reporter:: Gregory John Wilkins

Votes:: 1 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 15/Jan/06 21:26

Updated:: 13/Mar/07 04:20

Resolved:: 26/Jan/06 06:35