Cross site scripting vulnerabilites ----------------------------------- Key: GERONIMO-1474 URL: http://issues.apache.org/jira/browse/GERONIMO-1474 Project: Geronimo Type: Bug Components: console Versions: 1.0 Reporter: Greg Wilkins Fix For: 1.0.1
Reported by oliver karow: The Web-Access-Log viewer does no filtering for html-/script-tags, and therefore allows attacks against the user of the admin-console: http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script> Also reported: The first one is a classical cross-site scripting in the jsp-examples: http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira