Login | Register
My pages Projects Community openCollabNet

Discussions > issues > [Issue 424] New - Cross site scripting problem with SearchList function

eyebrowse
Discussion topic

Back to topic list

[Issue 424] New - Cross site scripting problem with SearchList function

Reply

Author erikabele
Full name Erik Abele
Date 2003-10-17 17:57:06 PDT
Message http://eyebrowse.tig​ris.org/issues/show_​bug.cgi?id=424
                  Issue #:|424
                  Summary:|Cross site scripting problem with SearchList function
                Component:|eyebrowse
                  Version:|current
                 Platform:|All
                      URL:|http://nagoya.apache​.org/eyebrowse/Searc​hList?listNam
                          |e=announce at apache dot org
               OS/Version:|All
                   Status:|NEW
        Status whiteboard:|
                 Keywords:|
               Resolution:|
               Issue type:|DEFECT
                 Priority:|P1
             Subcomponent:|src
              Assigned to:|aguenther
              Reported by:|erikabele






------- Additional comments from erikabele at tigris dot org Fri Oct 17 17:57:05 -0700 2003 -------
The following report was originally submitted to webmaster {at} apache.org. Additional information
regarding the possible security implications (CSS) can be found at the following urls:

http://httpd.apache.​org/info/css-securit​y/
http://httpd.apache.​org/info/css-securit​y/encoding_examples.​html
http://httpd.apache.​org/info/css-securit​y/apache_specific.ht​ml

--

From: Daniel Naber <daniel.naber@t-o​nline.de>
To: webmaster at apache dot org
Subject: Cross site scripting problem with your search
Date: Fri, 17 Oct 2003 22:45:47 +0200
Message-Id: <200310172245.477​89 at danielnaber dot de​>

Hi,

your search function on nagoya.apache.org can be tricked to include HTML
and Javascript code in the result page. You'll see this when you do a
search for

"><i>outside form

You'll see that a part of this search query appears outside the text field,
obviously because the " isn't escape to &quot; (etc).

The page I used to test this is
http://nagoya.apache​.org/eyebrowse/
SearchList?listName=​lucene-user@jakarta.​apache.org

This could become a security issue, so I suggest to fix this problem.

Regards
 Daniel

--
http://www.danielnaber.de

--------------------​--------------------​--------------------​---------
To unsubscribe, e-mail: issues-unsubscribe@e​yebrowse.tigris.org
For additional commands, e-mail: issues-help@eyebrows​e.tigris.org

« Previous message in topic | 1 of 1 | Next message in topic »

Messages

Show all messages in topic

[Issue 424] New - Cross site scripting problem with SearchList function erikabele Erik Abele 2003-10-17 17:57:06 PDT
Messages per page: