[ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
Rich Feit resolved BEEHIVE-952:
-------------------------------
Resolution: Fixed
Assign To: Alejandro Ramirez (was: Rich Feit)
This is fixed with revision 355003.
> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
> Key: BEEHIVE-952
> URL: http://issues.apache.org/jira/browse/BEEHIVE-952
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1
> Environment: Tomcat
> Reporter: Rich Feit
> Assignee: Alejandro Ramirez
> Fix For: 1.1
>
> Repro:
> - Make sure you are not running in production mode. By default, this is
> based on not passing "-ea" when starting the server.
> - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
> - Hit a URL like this one:
>
> http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert
> Window')</script>.do
> EXPECTED: an error that says:
> There is no Struts module configuration registered for
> /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path
> /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
> There is no Struts module configuration registered for
> /crossSiteScriptingAttack/.do (module path
> /crossSiteScriptingAttack/alert('hi')<).
> ...and, the script EXECUTES on the client -- you see a browser alert box
> that says "hi".
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
