[ http://issues.apache.org/jira/browse/BEEHIVE-952?page=comments#action_12330315 ]
Rich Feit commented on BEEHIVE-952: ----------------------------------- The URL got encoded by JIRA. It should be this: http://localhost:8080/myWebApp/crossSiteScriptingAttack/%3Cscript%3Ealert('hi')%3C/script%3E.do > Potential cross-site-scripting vulnerability when not in production mode > ------------------------------------------------------------------------ > > Key: BEEHIVE-952 > URL: http://issues.apache.org/jira/browse/BEEHIVE-952 > Project: Beehive > Type: Bug > Components: NetUI > Versions: V1 > Environment: Tomcat > Reporter: Rich Feit > Assignee: Rich Feit > Fix For: 1.1 > > Repro: > - Make sure you are not running in production mode. By default, this is > based on not passing "-ea" when starting the server. > - Start up a Beehive-enabled webapp (named 'myWebapp' in this example). > - Hit a URL like this one: > > http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert > Window')</script>.do > EXPECTED: an error that says: > There is no Struts module configuration registered for > /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path > /crossSiteScriptingAttack/alert('hi')<). > ACTUAL: an error that says: > There is no Struts module configuration registered for > /crossSiteScriptingAttack/.do (module path > /crossSiteScriptingAttack/alert('hi')<). > ...and, the script EXECUTES on the client -- you see a browser alert box > that says "hi". -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
