beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rich Feit (JIRA)" <...@beehive.apache.org>
Subject [jira] Commented: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode
Date Fri, 23 Sep 2005 18:15:30 GMT
    [ http://issues.apache.org/jira/browse/BEEHIVE-952?page=comments#action_12330315 ] 

Rich Feit commented on BEEHIVE-952:
-----------------------------------

The URL got encoded by JIRA. It should be this:

http://localhost:8080/myWebApp/crossSiteScriptingAttack/%3Cscript%3Ealert('hi')%3C/script%3E.do

> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
>          Key: BEEHIVE-952
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-952
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: V1
>  Environment: Tomcat
>     Reporter: Rich Feit
>     Assignee: Rich Feit
>      Fix For: 1.1

>
> Repro:
>     - Make sure you are not running in production mode.  By default, this is based on
not passing "-ea" when starting the server.
>     - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
>     - Hit a URL like this one:
>              http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert
Window')</script>.do
> EXPECTED: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do
(module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/.do
(module path /crossSiteScriptingAttack/alert('hi')<).
>  ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message