XSS attack while launching Pop up
---------------------------------
Key: TRINIDAD-1798
URL: https://issues.apache.org/jira/browse/TRINIDAD-1798
Project: MyFaces Trinidad
Issue Type: Bug
Affects Versions: 1.2.9-core
Reporter: Virginie reverse
Priority: Critical
hello,
I am using Tinidad 1.2.9, JSF 1.2 and tomcat 5.5.26.
I am launching a pop up with this command :
<tr:commandLink id="idAddCurrencyDialog"
text="#{msg.updateAttributes_add_currency}"
action="dialog:addModifyAttribute" useWindow="true" partialSubmit="true"
launchListener="#{updateAttributesController.launchAddCurrencyDialog}"
returnListener="#{updateAttributesController.returnFromDialogAttribute}"
windowHeight="500" windowWidth="500"/>
Here is the command generated :
https://xxx/meta/faces/__ADFv__?_afPfm=-543e4359&_t=fred&_vir=/common/pages/secure/common/dialog/addModifyAttribute.jspx&loc=en&_minWidth=500&_minHeight=500&_rtrnId=1
The problem is that it's allowing cross site script attack , you can insert
javascript in the :
_minWidth, _minHeight or_rtrnId
For exple :
https://xxx/meta/faces/__ADFv__?_afPfm=-543e4359&_t=fred&_vir=/common/pages/secure/common/dialog/addModifyAttribute.jspx&loc=en&_minWidth=500&_minHeight=500});alert(document.cookie);//&_rtrnId=1
I tried to upgrade to 1.2.13, but there was still the problem.
Do you know a work around or is it possible to fix this security breach ?
thxs
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
