Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected XSS Issue #16605

Open
brentgriffin opened this issue May 21, 2019 · 5 comments

Comments

Projects
5 participants
@brentgriffin
Copy link
Contributor

commented May 21, 2019

Reflected XSS issue reported - details for dotCMS engineers here: https://docs.google.com/document/d/1z3Ds1qEA9niL2qgm5VhdG_9s1KK3hS1X0iRh_g5knMw/edit#

wezell added a commit that referenced this issue May 29, 2019

wezell added a commit that referenced this issue May 29, 2019

wezell added a commit that referenced this issue May 29, 2019

wezell added a commit that referenced this issue May 29, 2019

wezell added a commit that referenced this issue May 30, 2019

wezell added a commit that referenced this issue May 30, 2019

wezell added a commit that referenced this issue May 30, 2019

wezell added a commit that referenced this issue May 30, 2019

wezell added a commit that referenced this issue May 30, 2019

@jgambarios

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

PR:
#16644 -> Release 5.1.6
#16650 -> Master

jgambarios added a commit that referenced this issue May 31, 2019

Issue 16605 xss 5.1.6 (#16644)
* #16605 prevent xss for backend traffic

* #16605 preventing xss

* #16605 fixing margin and logging

* #16605 allow interceptor to be turned off

* #16624 fixes unescaped sql call

jgambarios added a commit that referenced this issue May 31, 2019

Issue 16605 xss (#16650)
* #16613 possible fix

* #16624 fixes unescaped sql call

* #16605 prevent xss for backend traffic

* #16605 preventing xss

* #16605 fixing margin and logging

* #16605

* #16605 allow interceptor to be turned off
@bryanboza

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

After those changes we are unable to access the admin with /c

@jgambarios

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

PR: #16654

@bryanboza

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

Fixed, tested in the release branch and now the /c works as expected and also we are blocking the provided URLs

@bryanboza bryanboza added this to REX in QA Jun 3, 2019

@wezell wezell added this to To do in Release 5.1.6 Jun 4, 2019

@bryanboza bryanboza moved this from To do to Done in Release 5.1.6 Jun 4, 2019

@bryanboza

This comment has been minimized.

Copy link
Contributor

commented Jun 11, 2019

Fixed, tested on master // Postgres // FF

@bryanboza bryanboza added Passed QA and removed Needs QA labels Jun 11, 2019

@bryanboza bryanboza moved this from REX to Done in QA Jun 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.