[jira] Created: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode

Rich Feit (JIRA) Fri, 23 Sep 2005 11:13:50 -0700

Potential cross-site-scripting vulnerability when not in production mode
------------------------------------------------------------------------


         Key: BEEHIVE-952
         URL: http://issues.apache.org/jira/browse/BEEHIVE-952
     Project: Beehive
        Type: Bug
  Components: NetUI  
    Versions: V1    
 Environment: Tomcat
    Reporter: Rich Feit
 Assigned to: Rich Feit 
     Fix For: 1.1


Repro:
    - Make sure you are not running in production mode.  By default, this is 
based on not passing "-ea" when starting the server.
    - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
    - Hit a URL like this one:
             
http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert 
Window')</script>.do

EXPECTED: an error that says:
    There is no Struts module configuration registered for 
/crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path 
/crossSiteScriptingAttack/alert('hi')<).

ACTUAL: an error that says:
    There is no Struts module configuration registered for 
/crossSiteScriptingAttack/.do (module path 
/crossSiteScriptingAttack/alert('hi')<).
 ...and, the script EXECUTES on the client -- you see a browser alert box that 
says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Created: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode

Reply via email to