You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Matthias Weßendorf (JIRA)" <de...@myfaces.apache.org> on 2010/10/29 15:52:21 UTC

[jira] Resolved: (TRINIDAD-1798) XSS attack while launching Pop up

     [ https://issues.apache.org/jira/browse/TRINIDAD-1798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matthias Weßendorf resolved TRINIDAD-1798.
------------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.0.4-core 
                    1.2.15-core 
         Assignee: Matthias Weßendorf

> XSS attack while launching Pop up
> ---------------------------------
>
>                 Key: TRINIDAD-1798
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-1798
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>    Affects Versions: 1.2.9-core
>            Reporter: Virginie reverse
>            Assignee: Matthias Weßendorf
>            Priority: Critical
>             Fix For:  1.2.15-core , 2.0.0.4-core 
>
>
> hello,
> I am using Tinidad 1.2.9, JSF 1.2 and tomcat 5.5.26.
> I am launching a pop up with this command :
>  <tr:commandLink id="idAddCurrencyDialog" text="#{msg.updateAttributes_add_currency}"   action="dialog:addModifyAttribute" useWindow="true" partialSubmit="true" launchListener="#{updateAttributesController.launchAddCurrencyDialog}" returnListener="#{updateAttributesController.returnFromDialogAttribute}" windowHeight="500" windowWidth="500"/>          
> Here is the command generated : 
> https://xxx/yyy/faces/__ADFv__?_afPfm=-543e4359&_t=fred&_vir=/common/pages/secure/common/dialog/addModifyAttribute.jspx&loc=en&_minWidth=500&_minHeight=500&_rtrnId=1
> The problem is that it's allowing cross site script attack , you can insert javascript in the : 
> _minWidth, _minHeight or_rtrnId
> For  exple :
> https://xxx/yyyy/faces/__ADFv__?_afPfm=-543e4359&_t=fred&_vir=/common/pages/secure/common/dialog/addModifyAttribute.jspx&loc=en&_minWidth=500&_minHeight=500});alert(document.cookie);//&_rtrnId=1
> I tried to upgrade to 1.2.13, but there was still the problem.
> Do you know a work around or is it possible to fix this security breach ?
> thxs

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.