[jira] [Created] (SENTRY-1665) cross-site scripting vulnerability in ConfServlet

Alexander Kolbasov (JIRA) Tue, 14 Mar 2017 23:42:05 -0700

Alexander Kolbasov created SENTRY-1665:
------------------------------------------


             Summary: cross-site scripting vulnerability in ConfServlet
                 Key: SENTRY-1665
                 URL: https://issues.apache.org/jira/browse/SENTRY-1665
             Project: Sentry
          Issue Type: Bug
          Components: Sentry
    Affects Versions: 1.8.0
            Reporter: Alexander Kolbasov


The ConfServlet class has the following code:

{code}
    String format = request.getParameter(FORMAT_PARAM);
    ...
    } else {
      response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + 
format);
    }
{code}
As a result HTTP parameter is directly written to Servlet error page.  Echoing 
this untrusted input allows for a reflected cross site scripting vulnerability. 
See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (SENTRY-1665) cross-site scripting vulnerability in ConfServlet

Reply via email to