Return-Path: 
 <dev-return-8408-apmail-beehive-dev-archive=beehive.apache.org@beehive.apache.org>
Delivered-To: apmail-beehive-dev-archive@www.apache.org
Received: (qmail 55398 invoked from network); 8 Dec 2005 06:29:32 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 8 Dec 2005 06:29:32 -0000
Received: (qmail 96003 invoked by uid 500); 8 Dec 2005 06:29:32 -0000
Delivered-To: apmail-beehive-dev-archive@beehive.apache.org
Received: (qmail 95800 invoked by uid 500); 8 Dec 2005 06:29:31 -0000
Mailing-List: contact dev-help@beehive.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@beehive.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@beehive.apache.org>
List-Post: <mailto:dev@beehive.apache.org>
List-Id: <dev.beehive.apache.org>
Reply-To: "Beehive Developers" <dev@beehive.apache.org>
Delivered-To: mailing list dev@beehive.apache.org
Received: (qmail 95789 invoked by uid 99); 8 Dec 2005 06:29:31 -0000
X-ASF-Spam-Status: No, hits=1.3 required=10.0
	tests=SPF_FAIL
X-Spam-Check-By: apache.org
Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Dec 2005 22:29:29 -0800
Received: from ajax.apache.org (ajax.apache.org [127.0.0.1])
	by ajax.apache.org (Postfix) with ESMTP id CC9E1186
	for <dev@beehive.apache.org>; Thu,  8 Dec 2005 07:29:08 +0100 (CET)
Message-ID: <1317130733.1134023348836.JavaMail.jira@ajax.apache.org>
Date: Thu, 8 Dec 2005 07:29:08 +0100 (CET)
From: "Rich Feit (JIRA)" <dev@beehive.apache.org>
To: dev@beehive.apache.org
Subject: [jira] Resolved: (BEEHIVE-952) Potential cross-site-scripting
 vulnerability when not in production mode
In-Reply-To: <850536272.1127499208004.JavaMail.jira@ajax.apache.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

     [ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
     
Rich Feit resolved BEEHIVE-952:
-------------------------------

    Resolution: Fixed
     Assign To: Alejandro Ramirez  (was: Rich Feit)

This is fixed with revision 355003.

> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
>          Key: BEEHIVE-952
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-952
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: V1
>  Environment: Tomcat
>     Reporter: Rich Feit
>     Assignee: Alejandro Ramirez
>      Fix For: 1.1

>
> Repro:
>     - Make sure you are not running in production mode.  By default, this is based on not passing "-ea" when starting the server.
>     - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
>     - Hit a URL like this one:
>              http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
> EXPECTED: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
>  ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira