[ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
Julie Zhuo closed BEEHIVE-952:
------------------------------
Verified with rev374070. This is no alert appear. The error msg occured on the
console looks good.
01 Feb 2006 15:27:45,402 ERROR AutoRegisterActionServlet []: No module
configuration registered for /
crossSiteScriptingAttack/<script>alert('AlertWindow')</script>.do (module path
/crossSiteScriptingAtt
ack/<script>alert('AlertWindow')<).
01 Feb 2006 15:27:45,412 ERROR InternalUtils []: Error (message key
PageFlow_NoModuleConf) occurred
. Response error was set to 404
> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
> Key: BEEHIVE-952
> URL: http://issues.apache.org/jira/browse/BEEHIVE-952
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1
> Environment: Tomcat
> Reporter: Rich Feit
> Assignee: Julie Zhuo
> Fix For: 1.0.1
>
> Repro:
> - Make sure you are not running in production mode. By default, this is
> based on not passing "-ea" when starting the server.
> - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
> - Hit a URL like this one:
>
> http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert
> Window')</script>.do
> EXPECTED: an error that says:
> There is no Struts module configuration registered for
> /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path
> /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
> There is no Struts module configuration registered for
> /crossSiteScriptingAttack/.do (module path
> /crossSiteScriptingAttack/alert('hi')<).
> ...and, the script EXECUTES on the client -- you see a browser alert box
> that says "hi".
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
