You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by Santiago Gala <sg...@apache.org> on 2007/03/02 09:31:17 UTC

Cross Site Scripting Vulnerability [was: Filter URLs]

El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
> Hi,
> 
> it seams that Jetspeed in it's default configuration is vulnerable to
> cross site scriptings like this:
> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
> 
> My question is how can i prevent this?
> One possibility is to write a valve and filter the URL. Depending on
> the pattern of the URL I can reject the request.
> 
> Do you have a better idea how to solve this or is there already a
> common way for doing this?
> 

Could you please report it as a JIRA issue? IMO this is a blocker if it
is still present in 2.1rc*

Regards
Santiago

> Thanks in advance.
> 
> Regards,
>  Eric
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: Cross Site Scripting Vulnerability [was: Filter URLs]

Posted by jetspeed <an...@rediffmail.com>.



Santiago Gala wrote:
> 
> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>> Hi,
>> 
>> it seams that Jetspeed in it's default configuration is vulnerable to
>> cross site scriptings like this:
>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
>> 
>> My question is how can i prevent this?
>> One possibility is to write a valve and filter the URL. Depending on
>> the pattern of the URL I can reject the request.
>> 
>> Do you have a better idea how to solve this or is there already a
>> common way for doing this?
>> 
> 
> Could you please report it as a JIRA issue? IMO this is a blocker if it
> is still present in 2.1rc*
> 
> Regards
> Santiago
> 
>> Thanks in advance.
>> 
>> Regards,
>>  Eric
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
> 
> 
> 
Hi,
I am using jetspeed 2.2.2 (downloaded last week) and i'm a newbie. when i
try to access jetspeed with XSS attack as 
http://localhost:8080/jetspeed/portal/F6%22%20onmouseover=prompt(900041)%20
i'm seeing the attack is allowed. my guess is it is nor resolved yet.
Jetspeed is able to handle the attack with '<' or '>' signs, but when
onmouseover function is used, jetspeed fails to prevent the attack.

As i said, i'm newbie and i might be missing something. if anyone knows who
this can be prevented, it would be of great help.

thanks in advance
-- 
View this message in context: http://old.nabble.com/Cross-Site-Scripting-Vulnerability--was%3A-Filter-URLs--tp9265898p34576167.html
Sent from the Jetspeed - Dev mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: Cross Site Scripting Vulnerability [was: Filter URLs]

Posted by jetspeed <an...@rediffmail.com>.

Hi,
Does anyone whether it is fixed? i saw in apache sites, but when i try doing
the below URL, i still see the issue..
http://localhost:8080/jetspeed/portal/F6%22%20onmouseover=prompt(900041)%20

pls help
regards
anushh

Santiago Gala wrote:
> 
> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>> Hi,
>> 
>> it seams that Jetspeed in it's default configuration is vulnerable to
>> cross site scriptings like this:
>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
>> 
>> My question is how can i prevent this?
>> One possibility is to write a valve and filter the URL. Depending on
>> the pattern of the URL I can reject the request.
>> 
>> Do you have a better idea how to solve this or is there already a
>> common way for doing this?
>> 
> 
> Could you please report it as a JIRA issue? IMO this is a blocker if it
> is still present in 2.1rc*
> 
> Regards
> Santiago
> 
>> Thanks in advance.
>> 
>> Regards,
>>  Eric
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/Cross-Site-Scripting-Vulnerability--was%3A-Filter-URLs--tp9265898p34576100.html
Sent from the Jetspeed - Dev mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: Cross Site Scripting Vulnerability [was: Filter URLs]

Posted by Ate Douma <at...@douma.nu>.

I opened a new JIRA issue for it: https://issues.apache.org/jira/browse/JS2-656, as well as committed a fix :)
The reported vulnerability is no longer possible.

Regards, Ate

David Sean Taylor wrote:
> We're working on a fix, thanks
> 
> On Mar 2, 2007, at 12:31 AM, Santiago Gala wrote:
> 
>> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>>> Hi,
>>>
>>> it seams that Jetspeed in it's default configuration is vulnerable to
>>> cross site scriptings like this:
>>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e 
>>>
>>>
>>> My question is how can i prevent this?
>>> One possibility is to write a valve and filter the URL. Depending on
>>> the pattern of the URL I can reject the request.
>>>
>>> Do you have a better idea how to solve this or is there already a
>>> common way for doing this?
>>>
>>
>> Could you please report it as a JIRA issue? IMO this is a blocker if it
>> is still present in 2.1rc*
>>
>> Regards
>> Santiago
>>
>>> Thanks in advance.
>>>
>>> Regards,
>>>  Eric
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>
>>
> 
> --David Sean Taylor
> Bluesunrise Software
> david@bluesunrise.com
> [office] +01 707 773-4646
> [mobile] +01 707 529 9194
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: Cross Site Scripting Vulnerability [was: Filter URLs]

Posted by David Sean Taylor <da...@bluesunrise.com>.

We're working on a fix, thanks

On Mar 2, 2007, at 12:31 AM, Santiago Gala wrote:

> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>> Hi,
>>
>> it seams that Jetspeed in it's default configuration is vulnerable to
>> cross site scriptings like this:
>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22% 
>> 3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
>>
>> My question is how can i prevent this?
>> One possibility is to write a valve and filter the URL. Depending on
>> the pattern of the URL I can reject the request.
>>
>> Do you have a better idea how to solve this or is there already a
>> common way for doing this?
>>
>
> Could you please report it as a JIRA issue? IMO this is a blocker  
> if it
> is still present in 2.1rc*
>
> Regards
> Santiago
>
>> Thanks in advance.
>>
>> Regards,
>>  Eric
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user- 
>> help@portals.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>

-- 
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: Cross Site Scripting Vulnerability [was: Filter URLs]

Posted by David Sean Taylor <da...@bluesunrise.com>.

We're working on a fix, thanks

On Mar 2, 2007, at 12:31 AM, Santiago Gala wrote:

> El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
>> Hi,
>>
>> it seams that Jetspeed in it's default configuration is vulnerable to
>> cross site scriptings like this:
>> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22% 
>> 3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
>>
>> My question is how can i prevent this?
>> One possibility is to write a valve and filter the URL. Depending on
>> the pattern of the URL I can reject the request.
>>
>> Do you have a better idea how to solve this or is there already a
>> common way for doing this?
>>
>
> Could you please report it as a JIRA issue? IMO this is a blocker  
> if it
> is still present in 2.1rc*
>
> Regards
> Santiago
>
>> Thanks in advance.
>>
>> Regards,
>>  Eric
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user- 
>> help@portals.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>

-- 
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org