[JIRA] (JENKINS-16893) Cross Site Scripting Version 1.502

[andrei.co...@yopeso.com (JIRA)]

Andrei Colta created JENKINS-16893 Cross Site Scripting Version 1.502 Issue Type: Bug Affects Versions: current Assignee: Unassigned Components: core Created: 20/Feb/13 3:07 PM Description: we found few vulnaribilities. If you append this http://yourdomainname.com:8080//search/suggestOpenSearch?q=%27"%28%29%26%251<ScRiPt%20>prompt%28'VULN'%29<%2fScRiPt> Is Vulnerable To Cross Site Scripting This vulnerability affects /search/suggestOpenSearch on Parametter ?q= HTTP Parameter Pollution on builds /loginError HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If the web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either clientside or server-side attacks. Attack details This vulnerability affects /j_acegi_security_check. URL encoded POST input from was set to &n990198=v931935 Parameter precedence: last occurrence Affected link: login?from=&n990198=v931935 Affected parameter: from= The impact depends on the affected web application. An attacker could Override existing hardcoded HTTP parameters Modify the application behaviors Access and, potentially exploit, uncontrollable variables Bypass input validation checkpoints and WAFs rules Due Date: 20/Feb/13 12:00 AM Environment: Linux Debian Project: Jenkins Labels: jenkins Priority: Critical Reporter: Andrei Colta

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.