I've confirmed that the cross-site scripting problem also occurs in
jsp-examples in pure Tomcat 5.5.12 without Geronimo.
-Dave-
Jacek Laskowski wrote:
2006/1/17, oliver karow <[EMAIL PROTECTED]>:
Hi Oliver,
I think it belongs to dev now.
The first one is a classical cross-site scripting in the
jsp-examples:
http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>
Is it us or is it a general and *well-known* Tomcat vulnerability we
could not do much to prevent it other than ask Tomcat PMC to get rid
of it?
I did not check this, because i installed geronimo/jetty as a complete
package. I assumed that the sample script belongs to the geronimo.
AFAIK, Geronimo doesn't change much in the JSP processing (it does a
little wrt security and such, but JSP compilation and execution is
handed over to Jetty/Tomcat). So, I'd call it a bug in the example
itself or in the way Jetty/Tomcat handles it. I do think it has
nothing to do with Geronimo itself.
Could you verify that the bug won't happen in a clear Jetty/Tomcat
installation? I'd bet it will (no hands of mine offered intentionally
;)).
--
Jacek Laskowski
http://www.laskowski.org.pl
