Bugs item #3029502, was opened at 2010-07-14 13:40 Message generated for change (Tracker Item Submitted) made by rebus You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=480577&aid=3029502&group_id=55394
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface (example) Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Michal Ambroz (rebus) Assigned to: Nobody/Anonymous (nobody) Summary: User interface allows XSS Initial Comment: Some attributes/values are vulnerable to cross site scripting when being displayed in the HTML view mode. Input from the LDAP should be sanitized before it is used in HTML code to display in HTML view. I am not sure how clever the HTML view widget is and how much it would be possible to misuse this vulnerability. On attached screenshot the value of attribute postaladdress contains attempt to inject javascript. The java script is not executed, but it deforms the presented page which means it is processed somehow. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=480577&aid=3029502&group_id=55394 ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Jxplorer-devel mailing list Jxplorer-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
