[#GERONIMO-1474] Cross site scripting vulnerabilites

Geronimo

Created: 15/Jan/06 09:26 PM Updated: 13/Mar/07 04:20 AM

Return to search

Component/s:

console, security

Affects Version/s:

1.0

Fix Version/s:

1.1, 1.2

Security Level:

public (Regular issues)

Time Tracking:

Not Specified

File Attachments:

	File Name	Date Attached	Attached By	Size
	GERONIMO-1474.patch	2006-01-19 04:01 AM	Paul McMahan	2 kB

Patch Info:	Patch Available
Resolution Date:	26/Jan/06 06:35 AM

Description

« Hide

Reported by oliver karow:

The Web-Access-Log viewer does no filtering for html-/script-tags, and
therefore allows attacks against the user of the admin-console:

Also reported:

The first one is a classical cross-site scripting in the jsp-examples:
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

Repository	Revision	Date	User	Message
ASF	#372322	Wed Jan 25 21:33:48 UTC 2006	ammulder	Log viewer escapes log messages (~~GERONIMO-1474~~) -- Thanks to Paul McMahan for the patch
				Files Changed
				MODIFY /geronimo/branches/1.0/applications/console-standard/src/webapp/WEB-INF/view/logmanager/search.jsp MODIFY /geronimo/branches/1.0/applications/console-standard/src/webapp/WEB-INF/view/derbylogmanager/view.jsp MODIFY /geronimo/branches/1.0/applications/console-standard/src/webapp/WEB-INF/view/webaccesslogmanager/view.jsp

Repository	Revision	Date	User	Message
ASF	#372324	Wed Jan 25 21:35:35 UTC 2006	ammulder	Merge fix for ~~GERONIMO-1474~~ from branch
				Files Changed
				MODIFY /geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/logmanager/search.jsp MODIFY /geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/derbylogmanager/view.jsp MODIFY /geronimo/trunk/applications/console-standard/src/webapp/WEB-INF/view/webaccesslogmanager/view.jsp