[ http://issues.apache.org/jira/browse/GERONIMO-1474?page=comments#action_12363140 ]
Paul McMahan commented on GERONIMO-1474: ---------------------------------------- Please note that the patch for the admin portlets does *not* address any XSS vulnerabilities in the sample applications. Based on recent discussion on the dev list my understanding is that the tomcat dev team will address any vulnerabilities in the samples they provide. > Cross site scripting vulnerabilites > ----------------------------------- > > Key: GERONIMO-1474 > URL: http://issues.apache.org/jira/browse/GERONIMO-1474 > Project: Geronimo > Type: Bug > Components: console, security > Versions: 1.0 > Reporter: Greg Wilkins > Fix For: 1.0.1, 1.1 > Attachments: GERONIMO-1474.patch > > Reported by oliver karow: > The Web-Access-Log viewer does no filtering for html-/script-tags, and > therefore allows attacks against the user of the admin-console: > http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script> > Also reported: > The first one is a classical cross-site scripting in the jsp-examples: > http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
