geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Updated: (GERONIMO-1474) Cross site scripting vulnerabilites
Date Tue, 13 Mar 2007 04:22:09 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-1474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Jencks updated GERONIMO-1474:
-----------------------------------

    Comment: was deleted

> Cross site scripting vulnerabilites
> -----------------------------------
>
>                 Key: GERONIMO-1474
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-1474
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: console, security
>    Affects Versions: 1.0
>            Reporter: Greg Wilkins
>         Assigned To: Aaron Mulder
>             Fix For: 1.1, 1.2
>
>         Attachments: GERONIMO-1474.patch
>
>
> Reported by oliver karow:
> The Web-Access-Log viewer does no filtering for html-/script-tags, and
> therefore allows attacks against the user of the admin-console:
> http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>
> Also reported:
> The first one is a classical cross-site scripting in the jsp-examples:
> http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message