Project:
View Revisions: Issue #12034 | [ Back to Issue ] | ||
Summary | 0012034: Cross-site Scripting in the generated xxx_Relation.html files | ||
Revision | 2011-11-22 18:29 by shuehner | ||
Steps To Reproduce | The TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit i.e. /openbravo/Message/Message_Relation.html while using TamperData to set inpParamSessionDate to: inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22> |
||
Revision | 2011-11-22 18:29 by shuehner | ||
Steps To Reproduce | The TamperData plugin for Firefox or another proxy will be needed to reproduce. Visit /openbravo/Message/Message_Relation.html while using TamperData to set inpParamSessionDate to: inpParamSessionDate=>%22%27><img%20src%3d%22javascript:alert('XSS')%22> |
||
Revision | 2011-11-22 18:29 by shuehner | ||
Description | The value of inpParamSessionDate is not validated/escaped to prevent malicious code from being executed in the browser. The same field is present in all the various xxx_Relation.html files as they are generated at compile time based on a common-template. Example URL's where the issue can be reproduced: /openbravo/Message/Message_Relation.html /openbravo/Reference/Reference_Relation.html /openbravo/SystemInfo/SystemInfo_Relation.html /openbravo/User/User_Relation.html /openbravo/Form/Form_Relation.html |
||
Revision | 2011-11-22 18:29 by shuehner | ||
Description | The value of inpParamSessionDate is not validated/escaped to prevent malicious code from being executed in the browser. |
Copyright © 2000 - 2009 MantisBT Group |