Uploaded image for project: 'Geronimo'
  1. Geronimo
  2. GERONIMO-1474

Cross site scripting vulnerabilites

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.0
    • 1.1, 1.2
    • console, security
    • Security Level: public (Regular issues)
    • None
    • Patch Available

    Description

      Reported by oliver karow:

      The Web-Access-Log viewer does no filtering for html-/script-tags, and
      therefore allows attacks against the user of the admin-console:

      http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>

      Also reported:

      The first one is a classical cross-site scripting in the jsp-examples:
      http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

      Attachments

        1. GERONIMO-1474.patch
          2 kB
          Paul Franklin McMahan

        Activity

          People

            ammulder Aaron Mulder
            gregw Gregory John Wilkins
            Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: