ICEfaces
  1. ICEfaces
  2. ICE-10990

Using ice.window Parameter to Cross Site Script

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Duplicate
          • Affects Version/s: EE-4.0.0.GA
          • Fix Version/s: None
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            Application Server : IBM WAS 8.5, OS : Windows Server 2012

            Description

            We have an issue appeared in penetration test. The QA uses ice.window parameter to cross-site script the application. When he appends ?ice.window='-alert(1)-' to the URL the JavaScript code executes

            Example : http://localhost:8080/login.xhtml?ice.window='-prompt(111)-'

            A prompt window pops up in the page.

            How we can prevent it?

              Activity

              Hide
              Permalink
              Ken Fyten added a comment -

              Resolved via ICE-10998.

              Show
              Ken Fyten added a comment - Resolved via ICE-10998 .

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  Ahmad Abu Alnassr
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: