beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julie Zhuo (JIRA)" <...@beehive.apache.org>
Subject [jira] Closed: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode
Date Wed, 01 Feb 2006 22:34:35 GMT
     [ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
     
Julie Zhuo closed BEEHIVE-952:
------------------------------


Verified with rev374070. This is no alert appear. The error msg occured on the console looks
good.

01 Feb 2006 15:27:45,402 ERROR AutoRegisterActionServlet []: No module configuration registered
for /
crossSiteScriptingAttack/<script>alert('AlertWindow')</script>.do (module path
/crossSiteScriptingAtt
ack/<script>alert('AlertWindow')<).
01 Feb 2006 15:27:45,412 ERROR InternalUtils   []: Error (message key PageFlow_NoModuleConf)
occurred
.  Response error was set to 404

> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
>          Key: BEEHIVE-952
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-952
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: V1
>  Environment: Tomcat
>     Reporter: Rich Feit
>     Assignee: Julie Zhuo
>      Fix For: 1.0.1

>
> Repro:
>     - Make sure you are not running in production mode.  By default, this is based on
not passing "-ea" when starting the server.
>     - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
>     - Hit a URL like this one:
>              http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert
Window')</script>.do
> EXPECTED: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do
(module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/.do
(module path /crossSiteScriptingAttack/alert('hi')<).
>  ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message