HP DevInspect Vulnerability Report
Web site scanned:http://172.16.60.111
Scan start time:02/28/2008  09:54:58
Scan duration:0:00:10
Total vulnerabilities detected:346 (2 distinct)
Vulnerability breakdown by severity:
Critical346
High0
Medium0
Low0
Vulnerability breakdown by threat class:
Cross-site Scripting159
Abuse of Functionality187
Cross-Site Scripting
Severity:Critical
Threat Class:Cross-site Scripting
Location:file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/authors.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-author.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-date.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-subject.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-title.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/no-results.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/subjects.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/collection-home.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-home.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/contact-info.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/ldap-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/login-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/controlledvocabulary.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/controlledvocabularyTag.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/results.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/search.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/display-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-advanced.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-collection-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-community-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-item-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-policy-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/collection-select.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/community-select.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/confirm-delete-format.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/confirm-delete-mdfield.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/confirm-delete-mdschema.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-browse.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-confirm-delete.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-deletion-error.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/group-eperson-select.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/group-group-select.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/item-select.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/license-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-formats.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-fields.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-schemas.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-confirm-remove.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-duplicate.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-link.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/upload-logo.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-basicinfo.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-default-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-permissions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-questions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/workflow-abort-confirm.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/workflow-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/404.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/authorize.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/integrity.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/internal.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/invalid-id.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/feedback/form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/help/formats.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/home.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/footer-default.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/header-default.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/location-bar.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-admin.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-default.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/chooser.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/incorrect.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/logged-out.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/not-in-records.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/in-archive.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/own-submissions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/perform-task.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/preview-task.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/reject-reason.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/remove-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/subscriptions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/task-complete.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/already-registered.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/edit-profile.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/forgot-password.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/inactive-account.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/invalid-token.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-ldap-user.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-password.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-user.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/password-changed.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/profile-updated.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registered.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registration-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/advanced.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/results.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/statistics/report.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/styles.css.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancel.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancelled-removed.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cc-license.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/change-file-description.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/choose-file.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/complete.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/creative-commons.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/edit-metadata.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/get-file-format.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/initial-questions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/license-rejected.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/progressbar.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/review.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/saved.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/select-collection.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-license.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-uploaded-file.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/thesis-removed-workaround.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-error.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-file-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/verify-prune.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/suggest/suggest.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tombstone.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-collection.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-community.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-withdraw-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/creative-commons-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-collection.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-community.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-item-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/eperson-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/get-item-id.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-select-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-browse.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-info.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/handle.jar
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/oaicat.jar
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-error.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/wsv-error.jsp
Fix:The following recommendations will help you build web applications capable of withstanding Cross-Site Scripting attacks.
  • Define what is allowed. Ensure that the web application validates all input parameters (cookies, headers, query strings, forms, hidden fields, etc.) against a stringent definition of expected results.
  • Check the responses from POST and GET requests to ensure the data being returned is what is expected, and is valid.
  • Use white listing rather than black listing for validation. White listing refers to the practice of accepting input that is good, as opposed to trying to block input that is bad. For example, a zip code should always be five numbers; white listing the zip code input means accepting only five numbers and nothing else.
  • Remove conflicting characters, brackets, and single and double quotes from user input by encoding user-supplied data. This will prevent inserted scripts from being sent to end users in a form that can be executed.
  • Whenever possible, limit all client-supplied data to alphanumeric data. Using this filtering scheme, if a user entered "<script>alertdocumentcookie('aaa')</script>", it would be reduced to "scriptalertdocumentcookiescript". If non-alphanumeric characters must be used, encode them as HTML entities before using them in an HTTP response. Encoding ensures that the characters cannot be used to modify the structure of the HTML document.
The Java language does not have a built-in method to convert the value of the input variable into correct, non-interpretable HTML. The following code samples show two different ways of writing a utility method to sanitize all user input before displaying it back to the client.


public static String HTMLEncode(String aTagFragment){

  //make sure you replace & first
  aTagFragment = aTagFragment.replaceAll("&", "&amp;");
  aTagFragment = aTagFragment.replaceAll("<", "&lt;");
  aTagFragment = aTagFragment.replaceAll(">", "&gt;");
  aTagFragment = aTagFragment.replaceAll("\"", "&quot;");
  aTagFragment = aTagFragment.replaceAll("'", "&#39;");
  //replace backslash ‘\’ character
  aTagFragment = aTagFragment.replaceAll("\\\\", "&#92;");

  return aTagFragment;
}

public static String HTMLEncode(String aTagFragment){
  final StringBuffer result = new StringBuffer();
  final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment);
  char character = iterator.current();
  while (character != StringCharacterIterator.DONE ){
    if (character == '<') {
    result.append("&lt;");
    }
    else if (character == '>') {
    result.append("&gt;");
    }
st     else if (character == '\"') {
    result.append("&quot;");
    }
    else if (character == '\'") {
    result.append("&#39;");
    }
    else if (character == '\\') {
    result.append("&#92;");
    }
    else if (character == '&') {
    result.append("&amp;");
    }
    else {
    //the char is not a special one
    //add it to the result as is
    result.append(character);
    }
    character = iterator.next();
    }
    return result.toString();
}
Impact:Critical
When successfully exploited, Cross-Site scripting gives an attacker a method of taking control of the interaction between a user and a web site. On a simple site composed of static content, this might only lead to changing how pages display to a specific user. When the site is capable of accepting user input, such as login information, or allows users to make choices with real world implications such as transferring funds or accessing private data, Cross-Site scripting presents its most serious threat. The most significant danger from a successful Cross-Site scripting attack is that an attacker will be able to emulate the credentials of an actual user by gaining access to a user’s session cookie, thereby hijacking the user session and taking over the account.
Probability:Critical
To carry out a Cross-Site Scripting attack, an attacker will create a URL that takes advantage of a Cross-Site scripting flaw. The attacker must then find some way of getting a victim to visit this URL. This can be done in many ways, ranging from getting it listed in a search engine to exploiting weaknesses in mail clients that allow scripted content to be executed. Once the victim has used the Cross-Site scripting URL, the attacker's malicious code will be executed on his or her system. In other words, there is a lot of effort required up-front for these attacks to be successful. However, the potential payoff makes that effort worthwhile more often than not.
Summary:Cross-Site Scripting occurs when dynamically generated web pages display input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site. If successful, Cross-Site Scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Recommendations include implementing secure programming techniques that ensure proper filtration of user-supplied data, utilizing client-side validation of user supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.
Unvalidated Data Usage
Severity:Critical
Threat Class:Abuse of Functionality
Location:file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/authors.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-author.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-date.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-subject.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-title.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/no-results.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/subjects.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/collection-home.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-home.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/contact-info.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/ldap-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/login-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/controlledvocabulary.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/results.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/search.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/display-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-collection-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-community-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-policy-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-browse.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-deletion-error.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/index.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/item-select.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/license-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-formats.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-fields.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-schemas.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-duplicate.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-basicinfo.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-default-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-permissions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-questions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/workflow-abort-confirm.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/404.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/authorize.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/integrity.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/internal.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/invalid-id.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/feedback/form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/help/formats.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/home.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/index.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/footer-default.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/header-default.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/location-bar.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-admin.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-default.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/incorrect.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/logged-out.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/not-in-records.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/in-archive.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/own-submissions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/perform-task.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/preview-task.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/reject-reason.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/remove-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/subscriptions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/task-complete.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/already-registered.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/edit-profile.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/forgot-password.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/inactive-account.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-ldap-user.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-password.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-user.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/password-changed.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/profile-updated.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registered.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registration-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/advanced.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/results.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/statistics/no-report.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/statistics/report.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/styles.css.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancel.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancelled-removed.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cc-license.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/change-file-description.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/choose-file.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/complete.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/creative-commons.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/edit-metadata.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/get-file-format.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/initial-questions.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/license-rejected.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/progressbar.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/review.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/saved.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/select-collection.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-license.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-uploaded-file.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/thesis-removed-workaround.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-error.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-file-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/verify-prune.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/suggest/suggest.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tombstone.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-withdraw-item.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/creative-commons-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-collection.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-community.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-item-form.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/eperson-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/get-item-id.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-edit.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-select-list.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-browse.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/commons-fileupload.jar
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/handle.jar
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/oaicat.jar
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/standard.jar
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-error.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-main.jsp
file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/wsv-error.jsp
Fix:Use the following suggestions to build proper validation of user input in your web applications.
  • Define what is allowed. Ensure that the web application validates all input parameters (cookies, headers, query strings, forms, hidden fields, etc.) against a stringent definition of expected results.
  • Check the responses from POST and GET requests to ensure the data being returned is what is expected, and is valid.
  • Use white listing rather than black listing for validation. White listing refers to the practice of accepting input that is good, as opposed to trying to block input that is bad. For example, a zip code should always be five numbers; white listing the zip code input means accepting only five numbers and nothing else.
  • Remove conflicting characters, brackets, and single and double quotes from user input by encoding user-supplied data. This will prevent inserted scripts from being sent to end users in a form that can be executed.
Impact:High
The impact of this particular vulnerability depends upon what data is being manipulated, and how it is being submitted to the application server.
Probability:Critical
The Probability Score ranks the likelihood of an attack when all factors of potential success are taken into consideration, such as the amount of expertise necessary to exploit the vulnerability, its ease of exploitation, and what mitigating factors could potentially increase or decrease its rate of success. The ease with which data sent from a web browser can be manipulated makes the probability of exploitation Critical
Summary:Unvalidated data was accepted by the application. Risks from exploitation depend upon what is being accepted by the application, and the method by which it is submitted to the web application server. Recommendations include adopting secure programming techniques to ensure that only expected data is accepted by an application.