geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul McMahan (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1474) Cross site scripting vulnerabilites
Date Wed, 18 Jan 2006 19:08:43 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1474?page=comments#action_12363140 ] 

Paul McMahan commented on GERONIMO-1474:
----------------------------------------

Please note that the patch for the admin portlets does *not* address any XSS vulnerabilities
in the sample applications.   Based on recent discussion on the dev list my understanding
is that the tomcat dev team will address any vulnerabilities in the samples they provide.

> Cross site scripting vulnerabilites
> -----------------------------------
>
>          Key: GERONIMO-1474
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1474
>      Project: Geronimo
>         Type: Bug
>   Components: console, security
>     Versions: 1.0
>     Reporter: Greg Wilkins
>      Fix For: 1.0.1, 1.1
>  Attachments: GERONIMO-1474.patch
>
> Reported by oliver karow:
> The Web-Access-Log viewer does no filtering for html-/script-tags, and
> therefore allows attacks against the user of the admin-console:
> http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>
> Also reported:
> The first one is a classical cross-site scripting in the jsp-examples:
> http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message