[ http://issues.apache.org/jira/browse/GERONIMO-1474?page=all ]
Paul McMahan updated GERONIMO-1474: ----------------------------------- Geronimo Info: [Patch Available] > Cross site scripting vulnerabilites > ----------------------------------- > > Key: GERONIMO-1474 > URL: http://issues.apache.org/jira/browse/GERONIMO-1474 > Project: Geronimo > Type: Bug > Components: console, security > Versions: 1.0 > Reporter: Greg Wilkins > Fix For: 1.0.1, 1.1 > Attachments: GERONIMO-1474.patch > > Reported by oliver karow: > The Web-Access-Log viewer does no filtering for html-/script-tags, and > therefore allows attacks against the user of the admin-console: > http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script> > Also reported: > The first one is a classical cross-site scripting in the jsp-examples: > http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira