[jboss-jira] [JBoss JIRA] (AS7-4929) JBoss7 Fails ASV Scan Report Attestation of Scan Compliance

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Thu May 31 10:46:18 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12697571#comment-12697571 ] 

Darran Lofthouse commented on AS7-4929:
---------------------------------------

I would suggest if you detect a possible vulnerability in your own site that you should refrain from publicly posting the URL to that site along with any report of the vulnerability.

Do you have the details of the full request that is sent to trigger this?  Trying the URL in your original comment does not result in an error page with the word DEFACED highlighted however any escaping my have been lost in the conversion to Jira - ideally attach a text file containing the full request that is reported to reproduce this.


                
> JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
> -----------------------------------------------------------
>
>                 Key: AS7-4929
>                 URL: https://issues.jboss.org/browse/AS7-4929
>             Project: Application Server 7
>          Issue Type: Quality Risk
>    Affects Versions: 7.0.2.Final
>         Environment: Centos
>            Reporter: Carlos Oliva
>              Labels: jboss
>
> ASV Scan Report Attestation of Scan Compliance.  Vulnerabilities Noted for each IP Address
> https (tcp/443)
> GET
> /LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
> 4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
> YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
> cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
> VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
> ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
> MyWebServer 1.0.2 is vulnerable to HTML
> injection. Upgrade to a later version.
> CVE-2002-1453
> Medium 4.3 Fail
> http (tcp/80)
> GET
> /LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
> dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
> MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
> LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
> hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
> bTukJXDoo<font%20size=50>DEFACED<!--//-- :
> MyWebServer 1.0.2 is vulnerable to HTML
> injection. Upgrade to a later version.
> CVE-2002-1453

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list