You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@beehive.apache.org by "Rich Feit (JIRA)" <de...@beehive.apache.org> on 2005/09/23 20:13:28 UTC

[jira] Created: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode

Potential cross-site-scripting vulnerability when not in production mode
------------------------------------------------------------------------

         Key: BEEHIVE-952
         URL: http://issues.apache.org/jira/browse/BEEHIVE-952
     Project: Beehive
        Type: Bug
  Components: NetUI  
    Versions: V1    
 Environment: Tomcat
    Reporter: Rich Feit
 Assigned to: Rich Feit 
     Fix For: 1.1


Repro:
    - Make sure you are not running in production mode.  By default, this is based on not passing "-ea" when starting the server.
    - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
    - Hit a URL like this one:
             http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do

EXPECTED: an error that says:
    There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).

ACTUAL: an error that says:
    There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
 ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode

Posted by "Rich Feit (JIRA)" <de...@beehive.apache.org>.

    [ http://issues.apache.org/jira/browse/BEEHIVE-952?page=comments#action_12330315 ] 

Rich Feit commented on BEEHIVE-952:
-----------------------------------

The URL got encoded by JIRA. It should be this:

http://localhost:8080/myWebApp/crossSiteScriptingAttack/%3Cscript%3Ealert('hi')%3C/script%3E.do

> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
>          Key: BEEHIVE-952
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-952
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: V1
>  Environment: Tomcat
>     Reporter: Rich Feit
>     Assignee: Rich Feit
>      Fix For: 1.1

>
> Repro:
>     - Make sure you are not running in production mode.  By default, this is based on not passing "-ea" when starting the server.
>     - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
>     - Hit a URL like this one:
>              http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
> EXPECTED: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
>  ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Resolved: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode

Posted by "Rich Feit (JIRA)" <de...@beehive.apache.org>.

     [ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
     
Rich Feit resolved BEEHIVE-952:
-------------------------------

    Resolution: Fixed
     Assign To: Alejandro Ramirez  (was: Rich Feit)

This is fixed with revision 355003.

> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
>          Key: BEEHIVE-952
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-952
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: V1
>  Environment: Tomcat
>     Reporter: Rich Feit
>     Assignee: Alejandro Ramirez
>      Fix For: 1.1

>
> Repro:
>     - Make sure you are not running in production mode.  By default, this is based on not passing "-ea" when starting the server.
>     - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
>     - Hit a URL like this one:
>              http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
> EXPECTED: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
>  ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Closed: (BEEHIVE-952) Potential cross-site-scripting vulnerability when not in production mode

Posted by "Julie Zhuo (JIRA)" <de...@beehive.apache.org>.

     [ http://issues.apache.org/jira/browse/BEEHIVE-952?page=all ]
     
Julie Zhuo closed BEEHIVE-952:
------------------------------


Verified with rev374070. This is no alert appear. The error msg occured on the console looks good.

01 Feb 2006 15:27:45,402 ERROR AutoRegisterActionServlet []: No module configuration registered for /
crossSiteScriptingAttack/<script>alert('AlertWindow')</script>.do (module path /crossSiteScriptingAtt
ack/<script>alert('AlertWindow')<).
01 Feb 2006 15:27:45,412 ERROR InternalUtils   []: Error (message key PageFlow_NoModuleConf) occurred
.  Response error was set to 404

> Potential cross-site-scripting vulnerability when not in production mode
> ------------------------------------------------------------------------
>
>          Key: BEEHIVE-952
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-952
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: V1
>  Environment: Tomcat
>     Reporter: Rich Feit
>     Assignee: Julie Zhuo
>      Fix For: 1.0.1

>
> Repro:
>     - Make sure you are not running in production mode.  By default, this is based on not passing "-ea" when starting the server.
>     - Start up a Beehive-enabled webapp (named 'myWebapp' in this example).
>     - Hit a URL like this one:
>              http://localhost:8080/myWebapp/crossSiteScriptingAttack/<script>alert('Alert Window')</script>.do
> EXPECTED: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/<script>alert('hi')</script>.do (module path /crossSiteScriptingAttack/alert('hi')<).
> ACTUAL: an error that says:
>     There is no Struts module configuration registered for /crossSiteScriptingAttack/.do (module path /crossSiteScriptingAttack/alert('hi')<).
>  ...and, the script EXECUTES on the client -- you see a browser alert box that says "hi".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira