You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@beehive.apache.org by "Rich Feit (JIRA)" <de...@beehive.apache.org> on 2005/09/23 20:13:28 UTC
[jira] Created: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode
Potential cross-site-scripting vulnerability when not in production mode
------------------------------------------------------------------------
Key: BEEHIVE-952
URL: http://issues.apache.org/jira/browse/BEEHIVE-952
Project: Beehive
Type: Bug
Components: NetUI
Versions: V1
Environment: Tomcat
Reporter: Rich Feit
Assigned to: Rich Feit
Fix For: 1.1
Repro:
- Make sure you are not running in production mode. By default, this is based on not passing "-ea" when starting the server.
- Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
- Hit a URL like this one:
http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
EXPECTED: an error that says:
There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
ACTUAL: an error that says:
There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode
Posted by "Rich Feit (JIRA)" <de...@beehive.apache.org>.
[ http://issues.apache.org/jira/browse/BEEHIVE-952?page=comments#action_12330315 ]
Rich Feit commented on BEEHIVE-952:
-----------------------------------
The URL got encoded by JIRA. It should be this:
http://localhost:8080/myWebApp/crossSiteScriptingAttack/%3Cscript%3Ealert('hi')%3C/script%3E.do
> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
> Key: BEEHIVE-952
> URL: http://issues.apache.org/jira/browse/BEEHIVE-952
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1
> Environment: Tomcat
> Reporter: Rich Feit
> Assignee: Rich Feit
> Fix For: 1.1
>
> Repro:
> - Make sure you are not running in production mode. By default, this is based on not passing "-ea" when starting the server.
> - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
> - Hit a URL like this one:
> http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
> EXPECTED: an error that says:
> There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
> There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode
Posted by "Rich Feit (JIRA)" <de...@beehive.apache.org>.
[ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
Rich Feit resolved BEEHIVE-952:
-------------------------------
Resolution: Fixed
Assign To: Alejandro Ramirez (was: Rich Feit)
This is fixed with revision 355003.
> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
> Key: BEEHIVE-952
> URL: http://issues.apache.org/jira/browse/BEEHIVE-952
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1
> Environment: Tomcat
> Reporter: Rich Feit
> Assignee: Alejandro Ramirez
> Fix For: 1.1
>
> Repro:
> - Make sure you are not running in production mode. By default, this is based on not passing "-ea" when starting the server.
> - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
> - Hit a URL like this one:
> http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
> EXPECTED: an error that says:
> There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
> There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (BEEHIVE-952) Potential cross-site-scripting
vulnerability when not in production mode
Posted by "Julie Zhuo (JIRA)" <de...@beehive.apache.org>.
[ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
Julie Zhuo closed BEEHIVE-952:
------------------------------
Verified with rev374070. This is no alert appear. The error msg occured on the console looks good.
01 Feb 2006 15:27:45,402 ERROR AutoRegisterActionServlet []: No module configuration registered for /
crossSiteScriptingAttack/<script>alert('AlertWindow')</script>.do (module path /crossSiteScriptingAtt
ack/<script>alert('AlertWindow')<).
01 Feb 2006 15:27:45,412 ERROR InternalUtils []: Error (message key PageFlow_NoModuleConf) occurred
. Response error was set to 404
> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
> Key: BEEHIVE-952
> URL: http://issues.apache.org/jira/browse/BEEHIVE-952
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1
> Environment: Tomcat
> Reporter: Rich Feit
> Assignee: Julie Zhuo
> Fix For: 1.0.1
>
> Repro:
> - Make sure you are not running in production mode. By default, this is based on not passing "-ea" when starting the server.
> - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
> - Hit a URL like this one:
> http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
> EXPECTED: an error that says:
> There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
> There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira