2006/1/17, oliver karow <[EMAIL PROTECTED]>: Hi Oliver,
I think it belongs to dev now. > > > The first one is a classical cross-site scripting in the > > > jsp-examples: > > > > > > http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script> > > > > Is it us or is it a general and *well-known* Tomcat vulnerability we > > could not do much to prevent it other than ask Tomcat PMC to get rid > > of it? > > I did not check this, because i installed geronimo/jetty as a complete > package. I assumed that the sample script belongs to the geronimo. AFAIK, Geronimo doesn't change much in the JSP processing (it does a little wrt security and such, but JSP compilation and execution is handed over to Jetty/Tomcat). So, I'd call it a bug in the example itself or in the way Jetty/Tomcat handles it. I do think it has nothing to do with Geronimo itself. Could you verify that the bug won't happen in a clear Jetty/Tomcat installation? I'd bet it will (no hands of mine offered intentionally ;)). -- Jacek Laskowski http://www.laskowski.org.pl
