XSS Bug in printable link display

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 2.6.1
    • Affects Version/s: 2.5.7
    • Component/s: None
    • Environment:

      Solaris 10, JDK 1.5.0_12, SunOne WebServer 6.1 SP8

      A Cross sites scripting vulnerability exists in macro used to render the 'printable' link.

      Here is an exploit for the vulnerability that works

      https://servername/wiki/display/a/2007/09/%22%3E%3Cscript%3Ealert('Watchfire%20XSS%20Test%20Successful')%3C/script%3E

      Bug was found using APPScan.

        1. appscan.wiki.doc
          361 kB
          Wyatt Crossin
        2. printable-icon-xss.patch
          1 kB
          Matt Ryall
        3. wiki.appscan.doc
          118 kB
          Wyatt Crossin

            Assignee:
            m@ (Inactive)
            Reporter:
            Wyatt Crossin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 2h
                2h
                Remaining:
                Remaining Estimate - 2h
                2h
                Logged:
                Time Spent - Not Specified
                Not Specified