[Geoserver-devel] [JIRA] (GEOS-8805) Reflected cross-site scripting vulnerabilities in wms

[Nenad Steric (JIRA)]

Title: Message Title

Nenad Steric created an issue   GeoServer / GEOS-8805 Reflected cross-site scripting vulnerabilities in wms Issue Type: Bug Affects Versions: 2.13.1 Assignee: Unassigned Components: WMS Created: 27/Jun/18 1:10 PM Environment: Centos 7 Priority: Medium Reporter: Nenad Steric From our security test : The name of an arbitrarily supplied URL parameter is copied into a _javascript_ _expression_ which is not encapsulated in any quotation marks. The payload 25064;alert(1)//419 was submitted in the name of an arbitrarily supplied URL parameter. This input was echoed as 25064;ALERT(1)//419 in the application's response. GET /geoserver/nurc/wms?service=WMS&version=1.1.0&request=GetMap&layers=nurc:Arc_Sample&styles=&bbox=-180.0,-90.0,180.0,90.0&width=768&height=384&srs=EPSG:4326&format=application/openlayers&25064%3balert(1)%2f%2f419=1 HTTP/1.1 *Response * HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN ..... params: {'FORMAT': format, 'VERSION': '1.1.1', 25064;ALERT(1)//419: '1', STYLES: '', LAYERS: 'nurc:Arc_Sample', } ...... This is for /geoserver/nurc/wms /geoserver/sf/wms etc.. Add Comment   Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100088-sha1:29e3749)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel