myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthias Weßendorf (JIRA) <...@myfaces.apache.org>
Subject [jira] Resolved: (TRINIDAD-1798) XSS attack while launching Pop up
Date Fri, 29 Oct 2010 13:52:21 GMT

     [ https://issues.apache.org/jira/browse/TRINIDAD-1798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Matthias Weßendorf resolved TRINIDAD-1798.
------------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.0.4-core 
                    1.2.15-core 
         Assignee: Matthias Weßendorf

> XSS attack while launching Pop up
> ---------------------------------
>
>                 Key: TRINIDAD-1798
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-1798
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>    Affects Versions: 1.2.9-core
>            Reporter: Virginie reverse
>            Assignee: Matthias Weßendorf
>            Priority: Critical
>             Fix For:  1.2.15-core , 2.0.0.4-core 
>
>
> hello,
> I am using Tinidad 1.2.9, JSF 1.2 and tomcat 5.5.26.
> I am launching a pop up with this command :
>  <tr:commandLink id="idAddCurrencyDialog" text="#{msg.updateAttributes_add_currency}"
  action="dialog:addModifyAttribute" useWindow="true" partialSubmit="true" launchListener="#{updateAttributesController.launchAddCurrencyDialog}"
returnListener="#{updateAttributesController.returnFromDialogAttribute}" windowHeight="500"
windowWidth="500"/>          
> Here is the command generated : 
> https://xxx/yyy/faces/__ADFv__?_afPfm=-543e4359&_t=fred&_vir=/common/pages/secure/common/dialog/addModifyAttribute.jspx&loc=en&_minWidth=500&_minHeight=500&_rtrnId=1
> The problem is that it's allowing cross site script attack , you can insert javascript
in the : 
> _minWidth, _minHeight or_rtrnId
> For  exple :
> https://xxx/yyyy/faces/__ADFv__?_afPfm=-543e4359&_t=fred&_vir=/common/pages/secure/common/dialog/addModifyAttribute.jspx&loc=en&_minWidth=500&_minHeight=500});alert(document.cookie);//&_rtrnId=1
> I tried to upgrade to 1.2.13, but there was still the problem.
> Do you know a work around or is it possible to fix this security breach ?
> thxs

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message