[jboss-jira] [JBoss JIRA] (AS7-4929) JBoss7 Fails ASV Scan Report Attestation of Scan Compliance

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Thu May 31 11:22:19 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12697603#comment-12697603 ] 

Darran Lofthouse commented on AS7-4929:
---------------------------------------

Thanks for the attachment - I still can not reproduce anything here.

Do you have support for the tool you are using?  I think really you are going to need to follow up with the supplier of the scanning utility to verify exactly how it is identifying the failure.

The report itself is actually for a specific web server which is not JBoss AS - when I test this myself the contents of the URL are appropriately escaped in the error message so the do not form any type of HTML injection into the error message which is displayed.
                
> JBoss7 Fails ASV Scan Report Attestation of Scan Compliance
> -----------------------------------------------------------
>
>                 Key: AS7-4929
>                 URL: https://issues.jboss.org/browse/AS7-4929
>             Project: Application Server 7
>          Issue Type: Quality Risk
>    Affects Versions: 7.0.2.Final
>         Environment: Centos
>            Reporter: Carlos Oliva
>              Labels: jboss
>         Attachments: Scan Failure report.pdf
>
>
> ASV Scan Report Attestation of Scan Compliance.  Vulnerabilities Noted for each IP Address
> https (tcp/443)
> GET
> /LETtoaCuluFoy4DePCwPLiT0HI1s36zHz9s712uSci
> 4zxnjnmPAmXpdcnGMYmVwDfBGtXI6zXgIJ1YC8lqJ0T
> YlUP8hajSNTWZJH7RUk1K6JHLGgGnDaMfSojaxweHvj
> cnRe3KKTJ8miLU3U3XnS4KZ4bihRqT2rIkowzQJHSk9
> VbbQ26pdrzLoImGB4v9lqUFyewXsahnz55dwjEDBNRE
> ZEbS7b67a<font%20size=50>DEFACED<!--//-- :
> MyWebServer 1.0.2 is vulnerable to HTML
> injection. Upgrade to a later version.
> CVE-2002-1453
> Medium 4.3 Fail
> http (tcp/80)
> GET
> /LNSAZoL2iuV3PmcrZl0W5YhMwILOBPbZwzEHVi5QAM
> dlOJcFL6Y0Ihv21bU7R3461Q80T3CFq9WqFvx3lfcgs
> MIZ4MDac8YVcxkBralskmulwlrf5JnvLuewKZ402AkB
> LBIK0CZY7ajOn7U9xzZ0LAgwAzrUaw9UViczNtTyvEK
> hm7WnyF5dfR084QH966s324XgjXktxVXXaqe7xtf3d5
> bTukJXDoo<font%20size=50>DEFACED<!--//-- :
> MyWebServer 1.0.2 is vulnerable to HTML
> injection. Upgrade to a later version.
> CVE-2002-1453

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list