Console's web interface is not protected against XSS attacks. ------------------------------------------------------------- Key: JBADMCON-150 URL: http://jira.jboss.com/jira/browse/JBADMCON-150 Project: JBoss Admin Console Issue Type: Bug Components: General Console Reporter: Roman Arkhangelskiy After having been run on JBoss Admin Console source code, Jtest's BugDetective feature reported a lot of places (29 speaking precisely) that make the console vulnerable to XSS attacks. There are quite a few places where some data being obtained from servlet request are then published to a web-page without any prior validation. Such approach makes it possible for the malicious user to perform an XSS attack. I realize that the admin console itself represents an area with the restricted access, but I can also envision a situation when the UI of the administrative module does not allow any harmful action to be performed, but it is possible to use a kind of specific http-client to construct dangerous requests. So from technical point of view any data coming from client should be validated before their further use even in restricted areas. Below goes an example from the code: file: console/src/resources/weconsole.war/TopicSubscriptions.jsp At the line #86 variable 'myUrl' is being published without any prior validation. But the validation is necessary since at line #10 this variable gets tainted by its concatenation with the 'objParameter' variable which is considered tainted since its value is in fact a result of request.getParameter("ObjectName") method call. The screenshot provided by BugDetective is attached. Please let me know if you think this represents a real problem or BugDetective is mistaken. Thank you! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira