Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0
    • Fix Version/s: 1.1, 1.2
    • Component/s: console, security
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      Reported by oliver karow:

      The Web-Access-Log viewer does no filtering for html-/script-tags, and
      therefore allows attacks against the user of the admin-console:

      http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

      Also reported:

      The first one is a classical cross-site scripting in the jsp-examples:
      http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

        Attachments

          Activity

            People

            • Assignee:
              ammulder Aaron Mulder
              Reporter:
              gregw Greg Wilkins
            • Votes:
              1 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: