[richfaces-issues] [JBoss JIRA] Created: (RF-4713) hidden field javax.faces.ViewState is not sanitized

Gerrit Brehmer (JIRA) Wed, 22 Oct 2008 08:04:41 -0700

hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------


                 Key: RF-4713
                 URL: https://jira.jboss.org/jira/browse/RF-4713
             Project: RichFaces
          Issue Type: Bug
    Affects Versions: 3.2.2
         Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3 
            Reporter: Gerrit Brehmer
            Priority: Critical


We had a Security Audit of our Web Portal and they found a possible Cross Site 
Scripting Problem:

If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
richfaces-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/richfaces-issues

[richfaces-issues] [JBoss JIRA] Created: (RF-4713) hidden field javax.faces.ViewState is not sanitized

Reply via email to