ICEfaces
  1. ICEfaces
  2. ICE-10990

Using ice.window Parameter to Cross Site Script

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: EE-4.0.0.GA
    • Fix Version/s: None
    • Component/s: Framework
    • Labels:
      None
    • Environment:
      Application Server : IBM WAS 8.5, OS : Windows Server 2012

      Description

      We have an issue appeared in penetration test. The QA uses ice.window parameter to cross-site script the application. When he appends ?ice.window='-alert(1)-' to the URL the JavaScript code executes

      Example : http://localhost:8080/login.xhtml?ice.window='-prompt(111)-'

      A prompt window pops up in the page.

      How we can prevent it?

        Activity

        Ahmad Abu Alnassr created issue -
        Ken Fyten made changes -
        Field Original Value New Value
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Duplicate [ 3 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Ahmad Abu Alnassr
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: