portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Sean Taylor <da...@bluesunrise.com>
Subject Re: Cross Site Scripting Vulnerability [was: Filter URLs]
Date Fri, 02 Mar 2007 16:57:11 GMT
We're working on a fix, thanks

On Mar 2, 2007, at 12:31 AM, Santiago Gala wrote:

> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>> Hi,
>>
>> it seams that Jetspeed in it's default configuration is vulnerable to
>> cross site scriptings like this:
>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22% 
>> 3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
>>
>> My question is how can i prevent this?
>> One possibility is to write a valve and filter the URL. Depending on
>> the pattern of the URL I can reject the request.
>>
>> Do you have a better idea how to solve this or is there already a
>> common way for doing this?
>>
>
> Could you please report it as a JIRA issue? IMO this is a blocker  
> if it
> is still present in 2.1rc*
>
> Regards
> Santiago
>
>> Thanks in advance.
>>
>> Regards,
>>  Eric
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user- 
>> help@portals.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>

-- 
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message