portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ate Douma <...@douma.nu>
Subject Re: Cross Site Scripting Vulnerability [was: Filter URLs]
Date Fri, 02 Mar 2007 22:16:10 GMT
I opened a new JIRA issue for it: https://issues.apache.org/jira/browse/JS2-656, as well as
committed a fix :)
The reported vulnerability is no longer possible.

Regards, Ate

David Sean Taylor wrote:
> We're working on a fix, thanks
> 
> On Mar 2, 2007, at 12:31 AM, Santiago Gala wrote:
> 
>> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>>> Hi,
>>>
>>> it seams that Jetspeed in it's default configuration is vulnerable to
>>> cross site scriptings like this:
>>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e

>>>
>>>
>>> My question is how can i prevent this?
>>> One possibility is to write a valve and filter the URL. Depending on
>>> the pattern of the URL I can reject the request.
>>>
>>> Do you have a better idea how to solve this or is there already a
>>> common way for doing this?
>>>
>>
>> Could you please report it as a JIRA issue? IMO this is a blocker if it
>> is still present in 2.1rc*
>>
>> Regards
>> Santiago
>>
>>> Thanks in advance.
>>>
>>> Regards,
>>>  Eric
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>
>>
> 
> --David Sean Taylor
> Bluesunrise Software
> david@bluesunrise.com
> [office] +01 707 773-4646
> [mobile] +01 707 529 9194
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message