portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Resolved: (JS2-656) Cross-Site Scripting (XSS) vulnerability
Date Fri, 02 Mar 2007 22:09:50 GMT

     [ https://issues.apache.org/jira/browse/JS2-656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ate Douma resolved JS2-656.
---------------------------

    Resolution: Fixed

Solved using a dedicated /* filter checking each request and returning HTTP Status 400, SC_BAD_REQUEST
in case of such an attack

> Cross-Site Scripting (XSS)  vulnerability
> -----------------------------------------
>
>                 Key: JS2-656
>                 URL: https://issues.apache.org/jira/browse/JS2-656
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Components Core
>    Affects Versions: 2.1
>            Reporter: Ate Douma
>         Assigned To: Ate Douma
>            Priority: Blocker
>             Fix For: 2.1
>
>
> A Cross-Site Scripting vulnerability was found for Jetspeed allowing anXXS Url attack
like the following:
>   http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
  

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message