Issue Details (XML | Word | Printable)

Key: JRA-10542
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Sam Chang [Atlassian]
Reporter: Anton Mazkovoi [Atlassian]
Votes: 0
Watchers: 0
Operations

Add/Edit UI Mockup to this issue
If you were logged in you would be able to see more operations.
JIRA

Request parameters are not HTML encoded on the 500 page

Created: 04/Jul/06 09:45 PM   Updated: 16/Aug/06 09:33 PM
Component/s: Web interface
Affects Version/s: 3.6.2
Fix Version/s: 3.6.3

Time Tracking:
Not Specified

Issue Links:
Duplicate
 

Participants: Anton Mazkovoi [Atlassian], Nick Menere [Atlassian] and Sam Chang [Atlassian]
Since last comment: 2 years, 46 weeks ago
Resolution Date: 05/Jul/06 01:05 AM
Labels:


 Description  « Hide
The 500 page in JIRA lists the request parameters, but does not HTML encode them. This can lead to cross site scripting.

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Sam Chang [Atlassian] added a comment - 05/Jul/06 01:05 AM
html encoded the request parameters on the 500 page

[ Permalink | « Hide ]
Nick Menere [Atlassian] added a comment - 16/Aug/06 09:32 PM
This was reported on Secunia and has since been resolved. This XSS iss ue is no longer an issue.

Cheers,
Nick
Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.4-#354) - Bug/feature request - Atlassian news - Contact Administrators