[
https://issues.apache.org/jira/browse/GERONIMO-1474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Jencks updated GERONIMO-1474:
-----------------------------------
Comment: was deleted
> Cross site scripting vulnerabilites
> -----------------------------------
>
> Key: GERONIMO-1474
> URL: https://issues.apache.org/jira/browse/GERONIMO-1474
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console, security
> Affects Versions: 1.0
> Reporter: Greg Wilkins
> Assigned To: Aaron Mulder
> Fix For: 1.1, 1.2
>
> Attachments: GERONIMO-1474.patch
>
>
> Reported by oliver karow:
> The Web-Access-Log viewer does no filtering for html-/script-tags, and
> therefore allows attacks against the user of the admin-console:
> http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>
> Also reported:
> The first one is a classical cross-site scripting in the jsp-examples:
> http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
