Sun Java System 应用程序服务器9.1_01版本中的Glassfish webadmin界面存在多个跨站脚本漏洞。远程攻击者可以借助到(a)resourceNode/customResourceNew.jsf的(1)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew,(2)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType,(3)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass,或(4)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc参数;到(b)resourceNode/externalResourceNew.jsfthe的(5)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew,(6)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType,(7)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass,(8)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiLookupProp:jndiLookup,或(9)...
Sun Java System 应用程序服务器9.1_01版本中的Glassfish webadmin界面存在多个跨站脚本漏洞。远程攻击者可以借助到(a)resourceNode/customResourceNew.jsf的(1)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew,(2)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType,(3)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass,或(4)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc参数;到(b)resourceNode/externalResourceNew.jsfthe的(5)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew,(6)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType,(7)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass,(8)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiLookupProp:jndiLookup,或(9) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc参数;到(c)resourceNode/jmsDestinationNew.jsf的(10)propertyForm:propertySheet:propertSectionTextField:jndiProp:Jndi,(11)propertyForm:propertySheet:propertSectionTextField:nameProp:name,或(12)propertyForm:propertySheet:propertSectionTextField:descProp:desc参数;到(d)resourceNode/jmsConnectionNew.jsf的(13)propertyForm:propertySheet:generalPropertySheet:jndiProp:Jndi或(14)propertyForm:propertySheet:generalPropertySheet:descProp:cd 参数;到(e)resourceNode/jdbcResourceNew.jsf的(15)propertyForm:propertySheet:propertSectionTextField:jndiProp:jnditext或(16)propertyForm:propertySheet:propertSectionTextField:descProp:desc参数;到(f)applications/lifecycleModulesNew.jsf的(17)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:nameProp:name,(18)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:classNameProp:classname,或(19)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:loadOrderProp:loadOrder参数;到(g)resourceNode/jdbcConnectionPoolNew1.jsf的(20)propertyForm:propertyContentPage:propertySheet:generalPropertySheet:jndiProp:name,(21)propertyForm:propertyContentPage:propertySheet:generalPropertySheet:resTypeProp:resType,或(22)propertyForm:propertyContentPage:propertySheet:generalPropertySheet:dbProp:db参数,注入任意的web脚本或HTML。
