Web site scanned: | http://172.16.60.111 |
Scan start time: | 02/28/2008 09:54:58 |
Scan duration: | 0:00:10 |
Total vulnerabilities detected: | 346 (2 distinct) |
Critical | 346 |
High | 0 |
Medium | 0 |
Low | 0 |
Cross-site Scripting | 159 |
Abuse of Functionality | 187 |
Severity: | Critical |
Threat Class: | Cross-site Scripting |
Location: | file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/authors.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-author.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-date.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-subject.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-title.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/no-results.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/subjects.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/collection-home.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-home.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/contact-info.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/ldap-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/login-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/controlledvocabulary.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/controlledvocabularyTag.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/results.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/search.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/display-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-advanced.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-collection-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-community-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-item-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-policy-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/collection-select.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/community-select.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/confirm-delete-format.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/confirm-delete-mdfield.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/confirm-delete-mdschema.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-browse.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-confirm-delete.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-deletion-error.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/group-eperson-select.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/group-group-select.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/item-select.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/license-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-formats.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-fields.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-schemas.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-confirm-remove.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-duplicate.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-link.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/upload-logo.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-basicinfo.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-default-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-permissions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-questions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/workflow-abort-confirm.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/workflow-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/404.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/authorize.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/integrity.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/internal.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/invalid-id.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/feedback/form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/help/formats.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/home.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/footer-default.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/header-default.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/location-bar.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-admin.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-default.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/chooser.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/incorrect.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/logged-out.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/not-in-records.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/in-archive.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/own-submissions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/perform-task.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/preview-task.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/reject-reason.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/remove-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/subscriptions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/task-complete.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/already-registered.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/edit-profile.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/forgot-password.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/inactive-account.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/invalid-token.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-ldap-user.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-password.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-user.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/password-changed.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/profile-updated.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registered.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registration-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/advanced.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/results.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/statistics/report.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/styles.css.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancel.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancelled-removed.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cc-license.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/change-file-description.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/choose-file.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/complete.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/creative-commons.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/edit-metadata.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/get-file-format.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/initial-questions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/license-rejected.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/progressbar.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/review.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/saved.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/select-collection.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-license.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-uploaded-file.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/thesis-removed-workaround.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-error.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-file-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/verify-prune.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/suggest/suggest.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tombstone.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-collection.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-community.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-withdraw-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/creative-commons-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-collection.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-community.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-item-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/eperson-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/get-item-id.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-select-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-browse.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-info.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/handle.jar file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/oaicat.jar file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-error.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/wsv-error.jsp |
Fix: | The following recommendations will help you build web applications capable of withstanding Cross-Site Scripting attacks.
public static String HTMLEncode(String aTagFragment){ //make sure you replace & first aTagFragment = aTagFragment.replaceAll("&", "&"); aTagFragment = aTagFragment.replaceAll("<", "<"); aTagFragment = aTagFragment.replaceAll(">", ">"); aTagFragment = aTagFragment.replaceAll("\"", """); aTagFragment = aTagFragment.replaceAll("'", "'"); //replace backslash ‘\’ character aTagFragment = aTagFragment.replaceAll("\\\\", "\"); return aTagFragment; } public static String HTMLEncode(String aTagFragment){ final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ){ if (character == '<') { result.append("<"); } else if (character == '>') { result.append(">"); } st else if (character == '\"') { result.append("""); } else if (character == '\'") { result.append("'"); } else if (character == '\\') { result.append("\"); } else if (character == '&') { result.append("&"); } else { //the char is not a special one //add it to the result as is result.append(character); } character = iterator.next(); } return result.toString(); } |
Impact: | Critical When successfully exploited, Cross-Site scripting gives an attacker a method of taking control of the interaction between a user and a web site. On a simple site composed of static content, this might only lead to changing how pages display to a specific user. When the site is capable of accepting user input, such as login information, or allows users to make choices with real world implications such as transferring funds or accessing private data, Cross-Site scripting presents its most serious threat. The most significant danger from a successful Cross-Site scripting attack is that an attacker will be able to emulate the credentials of an actual user by gaining access to a user’s session cookie, thereby hijacking the user session and taking over the account. |
Probability: | Critical To carry out a Cross-Site Scripting attack, an attacker will create a URL that takes advantage of a Cross-Site scripting flaw. The attacker must then find some way of getting a victim to visit this URL. This can be done in many ways, ranging from getting it listed in a search engine to exploiting weaknesses in mail clients that allow scripted content to be executed. Once the victim has used the Cross-Site scripting URL, the attacker's malicious code will be executed on his or her system. In other words, there is a lot of effort required up-front for these attacks to be successful. However, the potential payoff makes that effort worthwhile more often than not. |
Summary: | Cross-Site Scripting occurs when dynamically generated web pages display input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site. If successful, Cross-Site Scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Recommendations include implementing secure programming techniques that ensure proper filtration of user-supplied data, utilizing client-side validation of user supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed. |
Severity: | Critical |
Threat Class: | Abuse of Functionality |
Location: | file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/authors.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-author.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-date.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-subject.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/items-by-title.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/no-results.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/browse/subjects.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/collection-home.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-home.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/community-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/contact-info.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/ldap-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/components/login-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/controlledvocabulary.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/results.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/controlledvocabulary/search.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/display-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-collection-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-community-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/authorize-policy-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-browse.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-deletion-error.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/eperson-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/index.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/item-select.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/license-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-formats.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-fields.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/list-metadata-schemas.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/news-main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-duplicate.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/supervise-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-basicinfo.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-default-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-permissions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/wizard-questions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/dspace-admin/workflow-abort-confirm.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/404.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/authorize.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/integrity.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/internal.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/error/invalid-id.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/feedback/form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/help/formats.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/home.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/index.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/footer-default.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/header-default.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/location-bar.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-admin.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/layout/navbar-default.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/incorrect.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/logged-out.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/login/not-in-records.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/in-archive.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/own-submissions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/perform-task.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/preview-task.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/reject-reason.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/remove-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/subscriptions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/mydspace/task-complete.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/already-registered.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/edit-profile.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/forgot-password.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/inactive-account.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-ldap-user.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-password.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/new-user.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/password-changed.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/profile-updated.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registered.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/register/registration-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/advanced.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/search/results.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/statistics/no-report.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/statistics/report.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/styles.css.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancel.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cancelled-removed.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/cc-license.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/change-file-description.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/choose-file.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/complete.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/creative-commons.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/edit-metadata.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/get-file-format.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/initial-questions.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/license-rejected.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/progressbar.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/review.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/saved.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/select-collection.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-license.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/show-uploaded-file.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/thesis-removed-workaround.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-error.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/upload-file-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/submit/verify-prune.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/suggest/suggest.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tombstone.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-delete-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/confirm-withdraw-item.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/creative-commons-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-collection.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-community.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/edit-item-form.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/eperson-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/get-item-id.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-edit.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/group-select-list.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-browse.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/tools/itemmap-main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/commons-fileupload.jar file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/handle.jar file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/oaicat.jar file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/WEB-INF/lib/standard.jar file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-error.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/ws-main.jsp file:/C:/Documents%20and%20Settings/spi/workspace/dspace/WebContent/workspace/wsv-error.jsp |
Fix: | Use the following suggestions to build proper validation of user input in your web applications.
|
Impact: | High The impact of this particular vulnerability depends upon what data is being manipulated, and how it is being submitted to the application server. |
Probability: | Critical The Probability Score ranks the likelihood of an attack when all factors of potential success are taken into consideration, such as the amount of expertise necessary to exploit the vulnerability, its ease of exploitation, and what mitigating factors could potentially increase or decrease its rate of success. The ease with which data sent from a web browser can be manipulated makes the probability of exploitation Critical |
Summary: | Unvalidated data was accepted by the application. Risks from exploitation depend upon what is being accepted by the application, and the method by which it is submitted to the web application server. Recommendations include adopting secure programming techniques to ensure that only expected data is accepted by an application. |