Feature Request: Prevent XSS Attacks in Fusion Reactor Reports

11 views
Skip to first unread message

Aaron Greenlee

unread,
Apr 5, 2012, 8:23:17 PM4/5/12
to fusion...@googlegroups.com
One of our sites is being attacked by someone trying SQL Injection and XSS attacks. Our app was designed to withstand these attacks and I'm not too concerned at this time; however, when I loaded the "Request History" in Fusion Reactor 4.0.9 the attackers JavaScript is fully able to execute!

The specific attack that was attempted that fails on our Production site but works when accessing Fusion Reactor logs like Request History is something like this:

http://mydomain.com/somepage/<script>alert("Hello Fusion Reactor. Please block this from working.")</script>/something/else/

Thanks!

Aaron


Darren Pywell

unread,
Apr 5, 2012, 9:20:54 PM4/5/12
to FusionReactor
Hi Aaron,

Thanks for taking the time to report this issue! We've very recently
had the issue reported by another customer and we are currently
investigating and developing a fix.

Thanks again,
Darren

Darren Pywell

unread,
Apr 17, 2012, 10:30:44 AM4/17/12
to FusionReactor
Hi All,

We've just released an update to FusionReactor (FR 4.0.10) to fix the
problems when displaying requests that contain cross site scripting
attacks (XSS). This update is recommended for anyone who has been
experiencing XSS attacks on their sites to prevent FusionReactor from
running the attack when you view an XSS request within FR.

Thanks again Aaron for reporting the issue.

Cheers,
Darren
Reply all
Reply to author
Forward
0 new messages