[richfaces-issues] [JBoss JIRA] Reopened: (RF-4713) hidden field javax.faces.ViewState is not sanitized
Dmytro Lisnichenko (JIRA)
jira-events at lists.jboss.org
Tue Feb 9 15:32:18 EST 2010
[ https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dmytro Lisnichenko reopened RF-4713:
------------------------------------
> hidden field javax.faces.ViewState is not sanitized
> ---------------------------------------------------
>
> Key: RF-4713
> URL: https://jira.jboss.org/jira/browse/RF-4713
> Project: RichFaces
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 3.2.2
> Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
> Reporter: Gerrit Brehmer
> Assignee: Tsikhon Kuprevich
> Priority: Critical
> Fix For: 3.3.0
>
>
> We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting Problem:
> If I attach the following at any JSF site url I get a javascript popup:
> ?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the richfaces-issues
mailing list