Santiago Gala wrote:
>
> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>> Hi,
>>
>> it seams that Jetspeed in it's default configuration is vulnerable to
>> cross site scriptings like this:
>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
>>
>> My question is how can i prevent this?
>> One possibility is to write a valve and filter the URL. Depending on
>> the pattern of the URL I can reject the request.
>>
>> Do you have a better idea how to solve this or is there already a
>> common way for doing this?
>>
>
> Could you please report it as a JIRA issue? IMO this is a blocker if it
> is still present in 2.1rc*
>
> Regards
> Santiago
>
>> Thanks in advance.
>>
>> Regards,
>> Eric
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscr...@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-h...@portals.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org
>
>
>
Hi,
I am using jetspeed 2.2.2 (downloaded last week) and i'm a newbie. when i
try to access jetspeed with XSS attack as
http://localhost:8080/jetspeed/portal/F6%22%20onmouseover=prompt(900041)%20
i'm seeing the attack is allowed. my guess is it is nor resolved yet.
Jetspeed is able to handle the attack with '<' or '>' signs, but when
onmouseover function is used, jetspeed fails to prevent the attack.
As i said, i'm newbie and i might be missing something. if anyone knows who
this can be prevented, it would be of great help.
thanks in advance
--
View this message in context:
http://old.nabble.com/Cross-Site-Scripting-Vulnerability--was%3A-Filter-URLs--tp9265898p34576167.html
Sent from the Jetspeed - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org