Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.4.4
Affects Version/s: 2.3.3
Component/s: None
Labels:
- affects-server
Environment:

Install at http://docs.pythonweb.org

This works: http://docs.pythonweb.org/spaces/usage/report.action?key=pylonscookbook

I change the date with a link to get: http://docs.pythonweb.org/spaces/usage/report.action?key=pylonscookbook&period=week&date=20070311

XSS:

period=HTML_HERE
http://docs.pythonweb.org/spaces/usage/report.action?key=pylonscookbook&period=<script>alert("lol")</script>&date=20070311

Exception throwing:

date=NOT_A_NUMBER
http://docs.pythonweb.org/spaces/usage/report.action?key=pylonscookbook&period=week&date=LOL

Also the exception page does not encode HTML tags so this will work:
http://docs.pythonweb.org/spaces/usage/report.action?key=pylonscookbook&period=week&date=LOL<script>alert("lol")</script>

Assignee:: Matt Ryall
Reporter:: Piotr
Votes:: 0 Vote for this issue
Watchers:: 0 Start watching this issue

Created:: 22/Mar/2007 5:47 PM
Updated:: 11/Oct/2018 8:55 AM
Resolved:: 11/Oct/2007 6:52 AM