XSS Bug in printable link display

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 2.6.1
    • Affects Version/s: 2.5.7
    • Component/s: None
    • Environment:

      Solaris 10, JDK 1.5.0_12, SunOne WebServer 6.1 SP8

      A Cross sites scripting vulnerability exists in macro used to render the 'printable' link.

      Here is an exploit for the vulnerability that works

      https://servername/wiki/display/a/2007/09/%22%3E%3Cscript%3Ealert('Watchfire%20XSS%20Test%20Successful')%3C/script%3E

      Bug was found using APPScan.

        1. appscan.wiki.doc
          361 kB
          Wyatt Crossin
        2. printable-icon-xss.patch
          1 kB
          Matt Ryall
        3. wiki.appscan.doc
          118 kB
          Wyatt Crossin

              Assignee:
              m@ (Inactive)
              Reporter:
              Wyatt Crossin
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 2h
                  2h
                  Remaining:
                  Remaining Estimate - 2h
                  2h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified