Of course, this becomes a tactical solution which every one of our app, especially the Console, would have to implement. The one place fix for it should be in someplace in the container.
Cheers
Prasad.
On 1/17/06, Dave Colasurdo <[EMAIL PROTECTED]> wrote:
I've confirmed that the cross-site scripting problem also occurs in
jsp-examples in pure Tomcat 5.5.12 without Geronimo.
-Dave-
Jacek Laskowski wrote:
> 2006/1/17, oliver karow < [EMAIL PROTECTED]>:
>
> Hi Oliver,
>
> I think it belongs to dev now.
>
>
>>>>The first one is a classical cross-site scripting in the
>>>>jsp-examples:
>>>>
>>>>http://10.10.10.10:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>
>>>
>>>Is it us or is it a general and *well-known* Tomcat vulnerability we
>>>could not do much to prevent it other than ask Tomcat PMC to get rid
>>>of it?
>>
>>I did not check this, because i installed geronimo/jetty as a complete
>>package. I assumed that the sample script belongs to the geronimo.
>
>
> AFAIK, Geronimo doesn't change much in the JSP processing (it does a
> little wrt security and such, but JSP compilation and execution is
> handed over to Jetty/Tomcat). So, I'd call it a bug in the example
> itself or in the way Jetty/Tomcat handles it. I do think it has
> nothing to do with Geronimo itself.
>
> Could you verify that the bug won't happen in a clear Jetty/Tomcat
> installation? I'd bet it will (no hands of mine offered intentionally
> ;)).
>
> --
> Jacek Laskowski
> http://www.laskowski.org.pl
>
>
