[richfaces-issues] [JBoss JIRA] Commented: (RF-4713) hidden field javax.faces.ViewState is not sanitized
Gerrit Brehmer (JIRA)
jira-events at lists.jboss.org
Fri Oct 24 05:02:21 EDT 2008
[ https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12435317#action_12435317 ]
Gerrit Brehmer commented on RF-4713:
------------------------------------
Yes, I cannot reproduce if this parameter is disabled. We could changed this parameter yesterday because we had fixed an internal exception handling/redirect problem. So for us this "workaround" is enough. Thanks!
The security tests were on our Production System with an older version of our web.xml. So in latest snapshot from our software the failure has gone!
> hidden field javax.faces.ViewState is not sanitized
> ---------------------------------------------------
>
> Key: RF-4713
> URL: https://jira.jboss.org/jira/browse/RF-4713
> Project: RichFaces
> Issue Type: Bug
> Affects Versions: 3.2.2
> Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
> Reporter: Gerrit Brehmer
> Assignee: Nick Belaevski
> Priority: Critical
> Fix For: 3.3.0
>
>
> We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting Problem:
> If I attach the following at any JSF site url I get a javascript popup:
> ?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the richfaces-issues
mailing list